Score:0

Server

AlmaLinux & Apache 2.4 & CVE-2021-42013 (+ other CVEs)

Mark

2/13/23, 10:29 PM

I have a small Apache webserver that was CentOS but is now AlmaLinux 8, and I've been trying to update httpd via dnf to protect against the recently disclosed vulnerabilities: https://httpd.apache.org/security/vulnerabilities_24.html

Numerically, the machine's httpd version number never exceeds 2.4.37, but I've read elsewhere that RHEL backports CVE fixes to each Apache version that aligns to their OS release.

Questions

Does AlamLinux do the same thing?
How long does it take to actually get the fix to be rolled out?

FYI:

rpm -q --changelog httpd | grep CVE-2021 returns no results.

httpd -v returns Server version: Apache/2.4.37 (AlmaLinux)

The last CVE I can see on the RHPE is CVE-2021-40438 (https://access.redhat.com/errata/RHSA-2021:3754). Does AlmaLinux have anything like this, or does it use the same thing?

~~ Edit ~~

After an update today, rpm -q --changelog httpd | grep CVE-2021 now returns:

Resolves: #2007234 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
Resolves: #2007646 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in

FYI:

CVE-2021-40438: Update 2.4.49 - released: 2021-09-16

CVE-2021-26691: Update 2.4.48 - released: 2021-06-01

Seems that they're cherry picking CVEs to include.

243

0 + 0

centos

apache-2.4

cloudlinux

Score:1

Server

ralz

2/15/23, 8:02 AM

AlmaLinux is s 1:1 binary compatible with RHEL and is downstream from RHEL, so packages that get patched in RHEL will be patched in AlmaLinux also, usually with 1 business day of delay.

https://wiki.almalinux.org/Comparison.html

As you mentioned yourself you can use rpm -q --changelog PackageName | grep CVE to see if certain CVE is resolved in a package.

Packages in AlmaLinux come from RHEL, but get some small modifications before being made available in AlmaLinux.

https://wiki.almalinux.org/development/Packaging.html

0 + 0

Mark

2/16/23, 11:32 AM

Ok thanks. I don't suppose you'd know why an "urgent, patch now" Apache issue wouldn't even have a errata listing with RHEL, would you?

ralz

2/17/23, 2:08 PM

@Mark if you are referring to CVE-2021-42013 it doesn't seem to affect httpd that ships on RHEL https://access.redhat.com/security/cve/cve-2021-42013

Mark

2/18/23, 10:49 PM

Yes, that was one of the many that I saw on the Apache security page. I went looking for that one specifically and saw a number of them that were important, and didn't look at related minimum versions. But that's good to know :) thank you.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AlmaLinux & Apache 2.4 & CVE-2021-42013 (+ other CVEs)

TH: AlmaLinux & Apache 2.4 & CVE-2021-42013 (+ CVE อื่นๆ)

RO: AlmaLinux și Apache 2.4 și CVE-2021-42013 (+ alte CVE)

RU: AlmaLinux и Apache 2.4 и CVE-2021-42013 (+ другие CVE)

VI: AlmaLinux & Apache 2.4 & CVE-2021-42013 (+ các CVE khác)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.