The distributions like RedHat, Debian, Ubuntu, etc. lock the version of their software packages when they release any specific version of their OS and they are responsible to backport any security or bug fixes.
For example, you can see Debian's tracker here: https://security-tracker.debian.org/tracker/CVE-2019-0211 They append their own release number to the end of the HTTPD version to show that they fixed the bug (2.4.25-3+deb9u6 to deb9u7). Ubuntu says they fixed the issues in 2.4.29-1ubuntu4.6 - Y On Sun, Apr 7, 2019 at 3:43 AM Dan Ehrlich <d...@ehrlichserver.com.invalid> wrote: > I’ve seen a few CVEs now that are low level but pretty much effect every > version from 2.4.30ish and back. > > The default Apache versions in the Debian and Ubuntu repos are 2.4.25 and > 2.4.29 respectively. > > QUESTIONS: > 1. Anyway to move the versions up (assuming I didn’t miss something) ? > 2. Happy to help / take on task if someone can point me in the right > direction > > > On Apr 6, 2019, at 11:14 PM, Sunhux G <sun...@gmail.com> wrote: > > Also, > can we safely say CVE-2019-0217 & CVE-2019-0215 affects "2.4.17 through > 2.4.38 with MPM event, worker or prefork" only (just like CVE-2019-0211)? > > How do I check if we have "MPM event, worker or prefork" in our Apache? > > On Sat, Apr 6, 2019 at 10:59 PM Sunhux G <sun...@gmail.com> wrote: > >> >> Are above CVEs affecting Apache httpd (ie web servers) 2.4.x only >> & other lower versions (eg: our Solaris 10's Apache/2.0.63) are not >> affected? >> >> Can point me to where to get the patches for RHEL7/RHEL6 >> in Red Hat support portal or anywhere else that's reliable?? >> >> Sun >> >
