There’s a security update of Apache available for all supported CentOS versions. They should be showing up in your available updates in the Virtualmin UI over the next couple of hours, or you can force a refresh of available packages.
This update patches the recently discussed httpoxy security bug, wherein any application running in a CGI environment could be tricked into using an attackers proxy for requests, which would be used for a variety of malicious behavior. There are mitigations without having to patch, but there’s no reason not to run the latest package; and, it’s easy to make mistakes in implementing the mitigation steps.
In short: Everyone should update.
As always, file a ticket, if there are problems with these packages. I have only tested on CentOS 7, as I don’t have fast Internet at the moment and so can’t pull down test images for CentOS 5 or 6. But, because it is a security issue, I wanted to get it out as quickly as possible. But, if you have problems upgrading, file a ticket, and I’ll get it sorted.
Update Packages
Building complete list of updates …
Now updating httpd httpd-tools mod_ssl wbm-php-pear …
Installing package(s) with command /bin/yum -y install httpd.x86_64 httpd-tools.x86_64 mod_ssl.x86_64 wbm-php-pear.noarch ..
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.prometeus.net
* extras: mirrors.prometeus.net
* updates: mirrors.prometeus.net
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 1:2.4.6-40.el7.centos.vm.1 will be updated
---> Package httpd.x86_64 1:2.4.6-40.el7.centos.4.vm will be an update
---> Package httpd-tools.x86_64 1:2.4.6-40.el7.centos.vm.1 will be updated
---> Package httpd-tools.x86_64 1:2.4.6-40.el7.centos.4.vm will be an update
---> Package mod_ssl.x86_64 2:2.4.6-40.el7.centos.vm.1 will be updated
---> Package mod_ssl.x86_64 2:2.4.6-40.el7.centos.4.vm will be an update
---> Package wbm-php-pear.noarch 2:1.5-1 will be updated
---> Package wbm-php-pear.noarch 2:1.6-1 will be an update
http://GPL:GPL@software.virtualmin.com/gpl/rhel/7/x86_64/repodata/f44149aa556954ce43e487f1e6a3af6ed49c63b1-filelists.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article
https://access.redhat.com/articles/1320623
If above article doesn't help to resolve this issue please create a bug on https://bugs.centos.org/
One of the configured repositories failed (RHEL/CentOS/Scientific 7 - x86_64 - Virtualmin),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Disable the repository, so yum won't use it by default. Yum will then
just ignore the repository until you permanently enable it again or use
--enablerepo for temporary usage:
yum-config-manager --disable virtualmin
4. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=virtualmin.skip_if_unavailable=true
failure: repodata/f44149aa556954ce43e487f1e6a3af6ed49c63b1-filelists.sqlite.bz2 from virtualmin: [Errno 256] No more mirrors to try.
http://GPL:GPL@software.virtualmin.com/gpl/rhel/7/x86_64/repodata/f44149aa556954ce43e487f1e6a3af6ed49c63b1-filelists.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found
.. install failed!
No packages were installed. Check the messages above for the cause of the error.
So i used SSH and the update pass without any problem:
updates: mirrors.prometeus.net
Resolving Dependencies
–> Running transaction check
—> Package httpd.x86_64 1:2.4.6-40.el7.centos.vm.1 will be updated
—> Package httpd.x86_64 1:2.4.6-40.el7.centos.4.vm.2 will be an update
—> Package httpd-tools.x86_64 1:2.4.6-40.el7.centos.vm.1 will be updated
—> Package httpd-tools.x86_64 1:2.4.6-40.el7.centos.4.vm.2 will be an update
—> Package mod_ssl.x86_64 2:2.4.6-40.el7.centos.vm.1 will be updated
—> Package mod_ssl.x86_64 2:2.4.6-40.el7.centos.4.vm.2 will be an update
—> Package wbm-php-pear.noarch 2:1.5-1 will be updated
—> Package wbm-php-pear.noarch 2:1.6-1 will be an update
virtualmin/7/x86_64/filelists_db | 198 kB 00:00:00
virtualmin-universal/filelists_db | 902 kB 00:00:00
–> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================
Package Arch Version Repository Size
Updating:
httpd x86_64 1:2.4.6-40.el7.centos.4.vm.2 virtualmin 2.7 M
httpd-tools x86_64 1:2.4.6-40.el7.centos.4.vm.2 virtualmin 82 k
mod_ssl x86_64 2:2.4.6-40.el7.centos.4.vm.2 virtualmin 103 k
wbm-php-pear noarch 2:1.6-1 virtualmin-universal 61 k
Transaction Summary
Upgrade 4 Packages
Total download size: 2.9 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/4): httpd-tools-2.4.6-40.el7.centos.4.vm.2.x86_64.rpm | 82 kB 00:00:00
(2/4): mod_ssl-2.4.6-40.el7.centos.4.vm.2.x86_64.rpm | 103 kB 00:00:00
(3/4): wbm-php-pear-1.6-1.noarch.rpm | 61 kB 00:00:00
(4/4): httpd-2.4.6-40.el7.centos.4.vm.2.x86_64.rpm | 2.7 MB 00:00:01
That’s really strange. I didn’t see that on any of my boxes, and the Virtualmin update just runs the same yum commands you’d run from the command line.
I wonder if maybe you happened to hit it while I was running the repo update. I though it was atomic (in that it creates temp files and then relinks them to the existing locations), but maybe not.
The update applied fine for me, no issues or warnings. (centos-release-7-2.1511.el7.centos.2.10.x86_64)
I actually logged in here to say thanks for making the patch available so quickly, and also to add the link https://httpoxy.org/ which provides some directions for mitigating the problem.
Update on CentOS 6 is not working, seems that the httpd-manual package has not been included in the release of this updates, and dependencies fail in consequence. Workaround, uninstall httpd-manual (I think it does not do any harm, maybe I’m wrong?)
