Trying to see if I can make my server pass a PCI Compliance test and I’m getting a warning about the Apache version 2.4.10. Looks like it’s up to 2.4.25 now. Is there some interworx support yum repository we can use to upgrade Apache?
Also, it complains about the mod_lua (which I can just disable) and “HTTPoxy Vulnerability” and says new version of Apache fixes these as well.
I did some checking because of the CentOS7 backporting, but it seems the 2.4.10 version isn’t covering CVE-2015-3185
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3185
Is this something that comes from interworx or direct from CentOS 7?
Hi Justin
For PCI compliance I would contact Iw directly as some cve show weak but in reality are not
Many thanks
John
Well there are specific CVEs listed for PCI. Some of them I have so I can dispute the findings, but the one above I don’t. Seems like this should have been backported already.
John,
I’ve put in a information support ticket to ask them about this. I understand that the httpd server package comes from the Interworx YUM repo, not CentOS 7. So even though CentOS 7 has backported many of the CVEs, they have not been rolled into a httpd update on the interworx-release repo.
The only other thing I can think of is they did add these in, but just didn’t note it correctly in the changelog.
Thanks,
Hi Justin
Many thanks, hopefully the cve would be covered
I have not noticed any mention of cve in changelog though
Appreciate if you could update when you know
Many thanks
John
Easiest way to check this on your server is “rpm -q --changelog httpd | grep CVE”
More Info:
https://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b096cbff2f
I’ve heard back from interworx and all but two of the CVE are either not needed for my setup or covered by some other update. Like one wasn’t an Apache issue, it was a PHP issue that caused an issue in Apache.
The remaining two they are looking into and waiting to hear back.
Hi Justin
Ahh sorry, now I understand sorry. I thought you meant Iw changelog
Also, that is what I was trying to say when I said contact Iw - you put more elegant and understandable then me sorry
Hopefully the remaining 2 cve will be covered
Many thanks
John