Bug 1305629

Summary: httpd changelog typo relative to CVE-2014-0226
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Dave Sullivan <dsulliva>
Component: httpdAssignee: Coty Sutherland <csutherl>
Status: CLOSED EOL QA Contact: Michal Karm Babacek <mbabacek>
Severity: low Docs Contact:
Priority: low    
Version: 2.1.0CC: csutherl, jclere, jdoyle, jpallich, pslavice, rsvoboda
Target Milestone: DR01   
Target Release: 2.1.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1338666 (view as bug list) Environment:
Last Closed: 2019-06-13 09:17:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1338666    

Description Dave Sullivan 2016-02-08 18:57:52 UTC 
Description of problem:

Depending upon how software analyzes for CVE/Security Issues this may or may not be as important.

1-      CVE Secuity vulnerability description: https://access.redhat.com/security/cve/cve-2014-0226
2-      Redhat errata patch details: https://rhn.redhat.com/errata/RHSA-2014-0920.html

The changelog appears to have a typo CVE-2014-0026 should instead be CVE-2014-0226

[root@acme01 tmp]# rpm -q --changelog httpd |grep 2014
* Fri Jul 18 2014 Weinan Li <weli> - 2.26.35
- Add missing CVE-2014-0231.patch
* Fri Jul 18 2014 Weinan Li <weli> - 2.26.34
- CVE-2014-0026
- CVE-2014-0118
- CVE-2014-0231
* Tue Jun 03 2014 Dustin Kut Moy Cheung <dcheung> - 2.26.33
* Wed May 07 2014 Dustin Kut Moy Cheung <dcheung> - 2.26.32
- Apply fix for CVE 2013-6438 and CVE 2014-0098
* Fri Mar 28 2014 Permaine Cheung <pcheung> - 2.2.26.31
* Tue Mar 04 2014 Weinan Li <weli> - 2.2.26.30
* Tue Mar 04 2014 Weinan Li <weli> - 2.2.26.29
* Mon Mar 03 2014 Weinan Li <weli> - 2.2.26-28
* Thu Feb 27 2014 Weinan Li <weli> - 2.2.26-27
* Wed Feb 26 2014 Weinan Li <weli> - 2.2.26-26


Version-Release number of selected component (if applicable):

Latest version
Comment 1 Dave Sullivan 2016-02-08 19:00:50 UTC 
As can been seen from the changelog from the httpd from rhel-6-server-rpms channel

...
* Thu Jul 17 2014 Jan Kaluza <jkaluza> - 2.2.15-38
- mod_cgid: add security fix for CVE-2014-0231
- mod_deflate: add security fix for CVE-2014-0118
- mod_status: add security fix for CVE-2014-0226    <----cve is correct here

...
Comment 2 Dave Sullivan 2016-02-08 19:03:07 UTC 
Not completely sure if the vulnerability scanner is looking at changelogs but is is failing, personally I think the scanner is failing for other reasons.

But it doesn't help the cause when the typo is there in the changelogs.
Comment 3 Permaine Cheung 2016-05-26 13:49:23 UTC 
Besides the changelog, the patch has been named CVE-2014-0026.patch as well.
I've fixed the name of the patch, the patching and the CL entry for the jb-eap-6.4-rhel-6 branch of httpd and jb-eap-6.4-rhel-6 branch of httpd22 in distgit so that any future builds will have the proper CVE number in there.

Weinan, can you please take care of httpd rebuild when you have the new version ready for EWS 2.1.1? Thanks!