This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1305629 - httpd changelog typo relative to CVE-2014-0226
httpd changelog typo relative to CVE-2014-0226
Status: VERIFIED
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: httpd (Show other bugs)
2.1.0
Unspecified Unspecified
low Severity low
: DR01
: 2.1.1
Assigned To: Coty Sutherland
Michal Karm Babacek
:
Depends On:
Blocks: 1338666
  Show dependency treegraph
 
Reported: 2016-02-08 13:57 EST by Dave Sullivan
Modified: 2016-08-11 03:50 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1338666 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Sullivan 2016-02-08 13:57:52 EST
Description of problem:

Depending upon how software analyzes for CVE/Security Issues this may or may not be as important.

1-      CVE Secuity vulnerability description: https://access.redhat.com/security/cve/cve-2014-0226
2-      Redhat errata patch details: https://rhn.redhat.com/errata/RHSA-2014-0920.html

The changelog appears to have a typo CVE-2014-0026 should instead be CVE-2014-0226

[root@acme01 tmp]# rpm -q --changelog httpd |grep 2014
* Fri Jul 18 2014 Weinan Li <weli@redhat.com> - 2.26.35
- Add missing CVE-2014-0231.patch
* Fri Jul 18 2014 Weinan Li <weli@redhat.com> - 2.26.34
- CVE-2014-0026
- CVE-2014-0118
- CVE-2014-0231
* Tue Jun 03 2014 Dustin Kut Moy Cheung <dcheung@redhat.com> - 2.26.33
* Wed May 07 2014 Dustin Kut Moy Cheung <dcheung@redhat.com> - 2.26.32
- Apply fix for CVE 2013-6438 and CVE 2014-0098
* Fri Mar 28 2014 Permaine Cheung <pcheung@redhat.com> - 2.2.26.31
* Tue Mar 04 2014 Weinan Li <weli@redhat.com> - 2.2.26.30
* Tue Mar 04 2014 Weinan Li <weli@redhat.com> - 2.2.26.29
* Mon Mar 03 2014 Weinan Li <weli@redhat.com> - 2.2.26-28
* Thu Feb 27 2014 Weinan Li <weli@redhat.com> - 2.2.26-27
* Wed Feb 26 2014 Weinan Li <weli@redhat.com> - 2.2.26-26


Version-Release number of selected component (if applicable):

Latest version
Comment 1 Dave Sullivan 2016-02-08 14:00:50 EST
As can been seen from the changelog from the httpd from rhel-6-server-rpms channel

...
* Thu Jul 17 2014 Jan Kaluza <jkaluza@redhat.com> - 2.2.15-38
- mod_cgid: add security fix for CVE-2014-0231
- mod_deflate: add security fix for CVE-2014-0118
- mod_status: add security fix for CVE-2014-0226    <----cve is correct here

...
Comment 2 Dave Sullivan 2016-02-08 14:03:07 EST
Not completely sure if the vulnerability scanner is looking at changelogs but is is failing, personally I think the scanner is failing for other reasons.

But it doesn't help the cause when the typo is there in the changelogs.
Comment 3 Permaine Cheung 2016-05-26 09:49:23 EDT
Besides the changelog, the patch has been named CVE-2014-0026.patch as well.
I've fixed the name of the patch, the patching and the CL entry for the jb-eap-6.4-rhel-6 branch of httpd and jb-eap-6.4-rhel-6 branch of httpd22 in distgit so that any future builds will have the proper CVE number in there.

Weinan, can you please take care of httpd rebuild when you have the new version ready for EWS 2.1.1? Thanks!

Note You need to log in before you can comment on or make changes to this bug.