It seems that httpd24-httpd from SCL is affected by CVE-2019-0211 [1]. Does the SIG has plans to update these rpms for EL6? [1] https://httpd.apache.org/security/vulnerabilities_24.html -- Thanks, LF
On 4/3/19 1:53 PM, Leon Fauster via CentOS wrote:> It seems that httpd24-httpd from SCL is affected by CVE-2019-0211 [1]. > > Does the SIG has plans to update these rpms for EL6? > > [1] https://httpd.apache.org/security/vulnerabilities_24.html >https://access.redhat.com/security/cve/cve-2019-0211 That says SCLs are affected .. BUT .. they do not yet have a plan. The SIG should buidl whatever Red Hat releases for httpd24 .. if they release anything. Remember, EL6 is in Maintenance Support phase 2 (and has been for almost 24 months).. that means what is specified here for RHEL sources: https://access.redhat.com/support/policy/updates/errata Specifically: ""During the Maintenance Support 2 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate. New functionality and new hardware enablement are not planned for availability in the Maintenance Support 2 Phase. Minor releases with updated installation images may be made available in this Phase." So .. They may or may not release a security update after investigation. It is time to plan your move from EL6 to EL7 ... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20190408/fd170ad4/attachment.sig>
> Am 08.04.2019 um 17:49 schrieb Johnny Hughes <johnny at centos.org>: > > On 4/3/19 1:53 PM, Leon Fauster via CentOS wrote: >> It seems that httpd24-httpd from SCL is affected by CVE-2019-0211 [1]. >> >> Does the SIG has plans to update these rpms for EL6? >> >> [1] https://httpd.apache.org/security/vulnerabilities_24.html >> > > > https://access.redhat.com/security/cve/cve-2019-0211 > > That says SCLs are affected .. BUT .. they do not yet have a plan. The > SIG should buidl whatever Red Hat releases for httpd24 .. if they > release anything. Remember, EL6 is in Maintenance Support phase 2 (and > has been for almost 24 months).. that means what is specified here for > RHEL sources: > > https://access.redhat.com/support/policy/updates/errata > > Specifically: > > ""During the Maintenance Support 2 Phase, Critical impact Security > Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories > (RHBAs) may be released as they become available. Other errata > advisories may be delivered as appropriate. > New functionality and new hardware enablement are not planned for > availability in the Maintenance Support 2 Phase. Minor releases with > updated installation images may be made available in this Phase." > > So .. They may or may not release a security update after investigation. > It is time to plan your move from EL6 to EL7 ...Thanks for getting into this. Yep, its time to move on ... until this I will try to build a custom version. -- LF