Update to 2.4.50 for security issues, bugs and improvements

iusrepo / httpd24u

Apache HTTP Server

17 stars 14 forks source link

Update to 2.4.50 for security issues, bugs and improvements #43

Closed reporter4u closed 3 years ago

reporter4u commented 3 years ago

I'm sorry to bother you again but Apache httpd project team release a new version due to these reasons:

CVE's fixed
Bugs fixed
Improvements

See https://downloads.apache.org/httpd/CHANGES_2.4.49

Thank you in advance!

Roberto

sping1968 commented 3 years ago

We're also waiting for this update. Thank you!

raider700 commented 3 years ago

CVE level was increased from 7.5 to 9.8 and affect reverse proxy server.: https://nvd.nist.gov/vuln/detail/CVE-2021-40438

Advisory to the version for FC34: https://bodhi.fedoraproject.org/updates/FEDORA-2021-dce7e7738e

A Upgrade to 2.4.49 soon would be really nice. Thx!

vernade commented 3 years ago

We are using the IUS Apache as reverse proxy and are affected by the CVE CVE-2021-40438. We are quite concered because of the severity of the issue and the lack of mitigation possibilities.

Is the release of the next version containing the fixes for CVE-2021-40438 imminent?

We would be happy to hear from you. Thanks!

reporter4u commented 3 years ago

@vernade As far as it is written in the official Apache httpd 2.4.49 change log (https://downloads.apache.org/httpd/CHANGES_2.4.49) this vulnerability is fixed.

_SECURITY: CVE-2021-40438 (cve.mitre.org) modproxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]

@participants At this point it deserves to be said that It seems this repository is no longer maintained (https://github.com/iusrepo/wishlist/issues/304), or at least not in a way that a production environment demands... Apache httpd team released 2.4.49 on last 16/9, I wrote this issue on 18/9 but since then to now a 2.4.50 has been released (https://downloads.apache.org/httpd/CHANGES_2.4.50), fortunately only bugfix not cve or security fix.

Good luck!

carlwgeorge commented 3 years ago

I'd be happy to review a pull request that updates httpd24u to the latest upstream version.

reporter4u commented 3 years ago

I pushed a PR for 2.4.50 since this morning officially Apache Httpd team releases it in order to fix two CVE and other bugs.

SECURITY: CVE-2021-41773 SECURITY: CVE-2021-41524

carlwgeorge commented 3 years ago

httpd24u-2.4.50-1.el7.ius is now available in the testing repository.

mister-jim commented 3 years ago

Effort much appreciated, but now seems we need also 2.4.51.. https://httpd.apache.org/security/vulnerabilities_24.html

jeffsheltren commented 3 years ago

2.4.51 is currently in IUS Testing (from https://github.com/iusrepo/httpd24u/pull/46)