AlmaLinux & Apache 2.4 & CVE-2021-42013 (+ other CVEs)

Question

I have a small Apache webserver that was CentOS but is now AlmaLinux 8, and I've been trying to update httpd via dnf to protect against the recently disclosed vulnerabilities: https://httpd.apache.org/security/vulnerabilities_24.html

Numerically, the machine's httpd version number never exceeds 2.4.37, but I've read elsewhere that RHEL backports CVE fixes to each Apache version that aligns to their OS release.

Questions

1. Does AlamLinux do the same thing?

2. How long does it take to actually get the fix to be rolled out?

FYI:

rpm -q --changelog httpd | grep CVE-2021 returns no results.

httpd -v returns Server version: Apache/2.4.37 (AlmaLinux)

The last CVE I can see on the RHPE is CVE-2021-40438 (https://access.redhat.com/errata/RHSA-2021:3754). Does AlmaLinux have anything like this, or does it use the same thing?

~~ Edit ~~

After an update today, rpm -q --changelog httpd | grep CVE-2021 now returns:

Resolves: #2007234 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
Resolves: #2007646 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in

FYI:

CVE-2021-40438: Update 2.4.49 - released: 2021-09-16

CVE-2021-26691: Update 2.4.48 - released: 2021-06-01

Seems that they're cherry picking CVEs to include.

Answer 1

AlmaLinux is s 1:1 binary compatible with RHEL and is downstream from RHEL, so packages that get patched in RHEL will be patched in AlmaLinux also, usually with 1 business day of delay.

https://wiki.almalinux.org/Comparison.html

As you mentioned yourself you can use rpm -q --changelog PackageName | grep CVE to see if certain CVE is resolved in a package.

Packages in AlmaLinux come from RHEL, but get some small modifications before being made available in AlmaLinux.

https://wiki.almalinux.org/development/Packaging.html