Red Hat Bugzilla – Bug 1305629
httpd changelog typo relative to CVE-2014-0226
Last modified: 2016-08-11 03:50:29 EDT
Description of problem:
Depending upon how software analyzes for CVE/Security Issues this may or may not be as important.
1- CVE Secuity vulnerability description: https://access.redhat.com/security/cve/cve-2014-0226
2- Redhat errata patch details: https://rhn.redhat.com/errata/RHSA-2014-0920.html
The changelog appears to have a typo CVE-2014-0026 should instead be CVE-2014-0226
[root@acme01 tmp]# rpm -q --changelog httpd |grep 2014
* Fri Jul 18 2014 Weinan Li <firstname.lastname@example.org> - 2.26.35
- Add missing CVE-2014-0231.patch
* Fri Jul 18 2014 Weinan Li <email@example.com> - 2.26.34
* Tue Jun 03 2014 Dustin Kut Moy Cheung <firstname.lastname@example.org> - 2.26.33
* Wed May 07 2014 Dustin Kut Moy Cheung <email@example.com> - 2.26.32
- Apply fix for CVE 2013-6438 and CVE 2014-0098
* Fri Mar 28 2014 Permaine Cheung <firstname.lastname@example.org> - 126.96.36.199
* Tue Mar 04 2014 Weinan Li <email@example.com> - 188.8.131.52
* Tue Mar 04 2014 Weinan Li <firstname.lastname@example.org> - 184.108.40.206
* Mon Mar 03 2014 Weinan Li <email@example.com> - 2.2.26-28
* Thu Feb 27 2014 Weinan Li <firstname.lastname@example.org> - 2.2.26-27
* Wed Feb 26 2014 Weinan Li <email@example.com> - 2.2.26-26
Version-Release number of selected component (if applicable):
As can been seen from the changelog from the httpd from rhel-6-server-rpms channel
* Thu Jul 17 2014 Jan Kaluza <firstname.lastname@example.org> - 2.2.15-38
- mod_cgid: add security fix for CVE-2014-0231
- mod_deflate: add security fix for CVE-2014-0118
- mod_status: add security fix for CVE-2014-0226 <----cve is correct here
Not completely sure if the vulnerability scanner is looking at changelogs but is is failing, personally I think the scanner is failing for other reasons.
But it doesn't help the cause when the typo is there in the changelogs.
Besides the changelog, the patch has been named CVE-2014-0026.patch as well.
I've fixed the name of the patch, the patching and the CL entry for the jb-eap-6.4-rhel-6 branch of httpd and jb-eap-6.4-rhel-6 branch of httpd22 in distgit so that any future builds will have the proper CVE number in there.
Weinan, can you please take care of httpd rebuild when you have the new version ready for EWS 2.1.1? Thanks!