New CFEngine hub packages released

October 3, 2019

Due to a number of vulnerabilities found in the version of Apache we bundle with CFEngine hub, we have upgraded the CFEngine hub packages to use an updated version of Apache. We upgrade from Apache 2.4.39 to Apache 2.4.41. We are now releasing a new version, CFEngine Hub 3.12.2-5. Only new Hub packages are being released, as no other packages are affected by these vulnerabilities.

The issues fixed

There are several issues that have been fixed with this new version of Apache. Out of these, only CVE-2019-10098 should affect CFEngine and is the one we were most concerned with. low: mod_rewrite potential open redirect (CVE-2019-10098) Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. You can see the full list of issues fixed in Apache 2.4.41 here: https://httpd.apache.org/security/vulnerabilities_24.html This dependency upgrade is the only change we have made. So please upgrade your CFEngine hub today.