PCI, httpd-devel-2.2.3-63.el5_8.1

Support for security such as Firewalls and securing linux
Post Reply
davidsmythe
Posts: 4
Joined: 2011/09/30 11:48:03

PCI, httpd-devel-2.2.3-63.el5_8.1

Post by davidsmythe » 2012/02/24 14:14:19

I've noticed that CVE-2011-3639 has been addressed with httpd-devel-2.2.3-63.el5_8.1

Where can I obtain this? I don't see it with YUM, is there a delay on making it available after updating the security site?

Running CentOS release 5.5 (Final).

Thanks.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

PCI, httpd-devel-2.2.3-63.el5_8.1

Post by TrevorH » 2012/02/24 15:08:05

If you're running "CentOS release 5.5 (Final)" then you have bigger problems that just that one httpd update! You're about 18 months out of date on the other updates available.

That package belongs to the 5.8 update stream and it's not yet available - RHEL 5.8 only came out a few days ago. Last I heard the devs were doing the first preliminary build of CentOS 5.8 last night and intending to give that to QA if it built OK. Until then you only choice would be to build the package from the Redhat SRPM on ftp.redhat.com yourself.

davidsmythe
Posts: 4
Joined: 2011/09/30 11:48:03

Re: PCI, httpd-devel-2.2.3-63.el5_8.1

Post by davidsmythe » 2012/02/24 15:37:08

Thanks Trevor.

I don't quite understand what you're getting with being "18 moths out of date".

Surely I can't do more than update the latest security releases for each distro as they become available?

I'm interested in this specific release of httpd because the CVE has been flagged up on our more recent PCI scans and it's bugging me that I've have this single issue outstanding.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PCI, httpd-devel-2.2.3-63.el5_8.1

Post by TrevorH » 2012/02/25 00:44:59

You say you are running CentOS 5.5. If you are indeed running 5.5 then you're 18 months out of date since 5.6 has been and gone and 5.7 is with us now shortly to be replaced by 5.8 in a few weeks time. OTOH, if you have been yum updating regularly then you are not running 5.5 but 5.7.

However, Redhat put out the fix for that CVE with an update to httpd that is included in RHEL 5.8 and was not made available as a separate security update for 5.7. Since RHEL 5.8 has only been out for a few days, the CentOS devs have not yet had time to build CentOS 5.8 which would include that fix. Thus you are currently stuck with waiting or rebuilding Redhat's SRPM yourself. It may be that the update will be given priority and might appear in the CR repo but since all the CVE's that are listed as fixed by that RPM are "moderate" severity or lower, I think I would be surprised. Please note that I have no inside knowledge of when it will appear or when 5.8 might become available so this is just guesswork.

Post Reply