Bug 1305629 - httpd changelog typo relative to CVE-2014-0226
Summary: httpd changelog typo relative to CVE-2014-0226
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: httpd
Version: 2.1.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: DR01
: 2.1.1
Assignee: Coty Sutherland
QA Contact: Michal Karm Babacek
URL:
Whiteboard:
Depends On:
Blocks: 1338666
TreeView+ depends on / blocked
 
Reported: 2016-02-08 18:57 UTC by Dave Sullivan
Modified: 2019-06-13 09:17 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1338666 (view as bug list)
Environment:
Last Closed: 2019-06-13 09:17:29 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Dave Sullivan 2016-02-08 18:57:52 UTC
Description of problem:

Depending upon how software analyzes for CVE/Security Issues this may or may not be as important.

1-      CVE Secuity vulnerability description: https://access.redhat.com/security/cve/cve-2014-0226
2-      Redhat errata patch details: https://rhn.redhat.com/errata/RHSA-2014-0920.html

The changelog appears to have a typo CVE-2014-0026 should instead be CVE-2014-0226

[root@acme01 tmp]# rpm -q --changelog httpd |grep 2014
* Fri Jul 18 2014 Weinan Li <weli> - 2.26.35
- Add missing CVE-2014-0231.patch
* Fri Jul 18 2014 Weinan Li <weli> - 2.26.34
- CVE-2014-0026
- CVE-2014-0118
- CVE-2014-0231
* Tue Jun 03 2014 Dustin Kut Moy Cheung <dcheung> - 2.26.33
* Wed May 07 2014 Dustin Kut Moy Cheung <dcheung> - 2.26.32
- Apply fix for CVE 2013-6438 and CVE 2014-0098
* Fri Mar 28 2014 Permaine Cheung <pcheung> - 2.2.26.31
* Tue Mar 04 2014 Weinan Li <weli> - 2.2.26.30
* Tue Mar 04 2014 Weinan Li <weli> - 2.2.26.29
* Mon Mar 03 2014 Weinan Li <weli> - 2.2.26-28
* Thu Feb 27 2014 Weinan Li <weli> - 2.2.26-27
* Wed Feb 26 2014 Weinan Li <weli> - 2.2.26-26


Version-Release number of selected component (if applicable):

Latest version

Comment 1 Dave Sullivan 2016-02-08 19:00:50 UTC
As can been seen from the changelog from the httpd from rhel-6-server-rpms channel

...
* Thu Jul 17 2014 Jan Kaluza <jkaluza> - 2.2.15-38
- mod_cgid: add security fix for CVE-2014-0231
- mod_deflate: add security fix for CVE-2014-0118
- mod_status: add security fix for CVE-2014-0226    <----cve is correct here

...

Comment 2 Dave Sullivan 2016-02-08 19:03:07 UTC
Not completely sure if the vulnerability scanner is looking at changelogs but is is failing, personally I think the scanner is failing for other reasons.

But it doesn't help the cause when the typo is there in the changelogs.

Comment 3 Permaine Cheung 2016-05-26 13:49:23 UTC
Besides the changelog, the patch has been named CVE-2014-0026.patch as well.
I've fixed the name of the patch, the patching and the CL entry for the jb-eap-6.4-rhel-6 branch of httpd and jb-eap-6.4-rhel-6 branch of httpd22 in distgit so that any future builds will have the proper CVE number in there.

Weinan, can you please take care of httpd rebuild when you have the new version ready for EWS 2.1.1? Thanks!


Note You need to log in before you can comment on or make changes to this bug.