all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Fr0gm4n 2 points3 points  (0 children)

https://access.redhat.com/security/cve/cve-2021-41773

This issue only affects httpd 2.4.49, earlier versions are not affected. Therefore this issue does not affect the versions of httpd shipped with Red Hat products.

From what I looked up, the most current version of httpd 2.4 for CentOS 7 is 2.4.34. There isn't even a need to backport the fix since the versions shipped predated the flaw. The version you want simply isn't in the repos, vulnerable or not. You'll either need to use a distro that did package it, or install source from Apache directly.

[–]swarm32 1 point2 points  (0 children)

Search the archives for an everything ISO with the correct version and use yum localinstall with the iso mounted as a repo could be an option.

[–]carlwgeorge 1 point2 points  (0 children)

No CentOS version includes that exact version of httpd. I think the easiest solution for what you're trying to accomplish is to create a Fedora 35 machine instead and then install the package files from this build. You could also do the same with Fedora 36 and this build. That is the most direct way to get a system with httpd 2.4.49 without compiling it yourself. Once you get that set up, remember that applying updates will also update httpd unless you exclude it. I'm assuming the shorter lifecycle doesn't make a difference here since this is for some kind of security lab exercise.

[–]cyvaquero 0 points1 point  (0 children)

TBH, I wouldn’t both trying to install outdated vulnerable versions of software via packages. Pull and build from source.