Please update httpd to 2.4.49 (security release)

[olivia-fox]

Resolves high-severity “mod_proxy SSRF” (CVE-2021-40438), “Request splitting via HTTP/2 method injection and mod_proxy” (CVE-2021-33193), and “NULL pointer dereference” (CVE-2021-34798) vulnerabilities.

Edit: 2.4.49’s changelog

[phy25]

The bot should pick it up sometime https://github.com/docker-library/httpd/commit/8835b23f748f80bcec510c14b68c84bc37767cdb

[sreboot]

+1

[sreboot]

There is a key issue when trying to build:

+ gpg --batch --verify httpd.tar.bz2.asc httpd.tar.bz2
gpg: Signature made Fri Sep 10 13:47:38 2021 UTC
gpg:                using RSA key 26F51EF9A82F4ACB43F1903ED377C9E7D1944C66
gpg: Can't check signature: No public key

The key is in the KEYS file here: https://downloads.apache.org/httpd/KEYS

but fails to import as it is unavailable on the ubuntu keyserver:

$ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 26F51EF9A82F4ACB43F1903ED377C9E7D1944C66
gpg: keyserver receive failed: No data

Available on keys.openpgp.org however:

$ gpg --batch --keyserver keys.openpgp.org --recv-keys 26F51EF9A82F4ACB43F1903ED377C9E7D1944C66
gpg: key D377C9E7D1944C66: public key "Stefan Eissing (icing) <stefan@eissing.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

[sreboot]

Added details under https://github.com/docker-library/httpd/pull/199

[tianon]

Fixed in #199 + 6b536fff705fe3b0dc86bcecdaf115d86bcdb01f -- @docker-library-bot should pick up Alpine shortly (after which the PR to official-images will be opened).