Apache 2.4.43

[wattie]

There are two security fixes and one memory leak:

  *) SECURITY: CVE-2020-1934 (cve.mitre.org)
     mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
     server. [Eric Covener]

  *) SECURITY: CVE-2020-1927 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.
     The fix for CVE-2019-10098 was not effective.  [Ruediger Pluem]

  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

It also includes changes from the 2.4.42 - complete changelog is listed here: https://downloads.apache.org/httpd/CHANGES_2.4.43

 

[Richard G]

Getting errors when updating:

make[1]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.43'
Restoring certificate and key, and turning on httpd for DirectAdmins's check.
Checking to ensure /etc/httpd/conf/ssl.crt/server.ca is set.
Enabling httpd in systemd...
httpd: Syntax error on line 51 of /etc/httpd/conf/httpd.conf: Syntax error on line 3 of /etc/httpd/conf/extra/httpd-phpmodules.conf: module systemd_module is built-in and can't be loaded

and at the end:

****
/etc/systemd/system/httpd.service has NOT been installed because of no HAVE_SYSTEMD in the otuput!!
****

LoL, also a typo in there... otuput instead of output... that came from the error notice, not from me.

Line 51 in httpd.conf is:
Include /etc/httpd/conf/extra/httpd-phpmodules.conf
So I looked on line 3 of /etc/httpd/conf/extra/httpd-phpmodules.conf which has this content:

LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so
Mutex posixsem
LoadModule mpm_prefork_module /usr/lib/apache/mod_mpm_prefork.so
LoadModule php7_module /usr/lib/apache/libphp7.so

Looks like mpm_prefork is causing this issue? But never had issues before and this is default.

Why is this happening and how can I fix this?
I won't update my other servers yet because of this issue.

 

[Active8]

****
/etc/systemd/system/httpd.service has NOT been installed because of no HAVE_SYSTEMD in the otuput!!
****

had the same but everything works even after an reboot

But still saw this in the log:

Enabling httpd in systemd...
httpd: Syntax error on line 52 of /etc/httpd/conf/httpd.conf: Syntax error on line 3 of /etc/httpd/conf/extra/httpd-phpmodules.conf: module systemd_module is built-in and can't be loaded

****
httpd: Syntax error on line 52 of /etc/httpd/conf/httpd.conf: Syntax error on line 3 of /etc/httpd/conf/extra/httpd-phpmodules.conf: module systemd_module is built-in and can't be loaded
Server version: Apache/2.4.43 (Unix)

 

[Richard G]

Yep I wonder, because I don't see a syntax error, that line has been the same for a long time.
Also here everything seems to work fine, but I'd rather be sure before updating the rest.

 

[Active8]

@Richard G maybe I have found something, try to change your apache_mpm instead of auto to event (I have php-fpm), syntax error went away but this remains :

****
/etc/systemd/system/httpd.service has NOT been installed because of no HAVE_SYSTEMD in the otuput!!
****

 

[Richard G]

@Active8 I'd rather wait if this is alright. Because it's auto by default for years and I don't like making custom changes if not needed, because I will run into the same isseu on the next Apache update if I don't use custom templates for this.

You are using php-fpm, but I'm using mod_php with mod_ruid2.
Thanks for the tip anyway though.

 

[ditto]

Enabling httpd in systemd...
httpd: Syntax error on line 51 of /etc/httpd/conf/httpd.conf: Syntax error on line 3 of /etc/httpd/conf/extra/httpd-phpmodules.conf: module systemd_module is built-in and can't be loaded

I would guess it is related to this from the changelog: https://downloads.apache.org/httpd/CHANGES_2.4.43

*) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

Hopefully @smtalk will be able to make the needed changes and fix this soon.

 

[smtalk]

May you try CB 2.0 rev. 2455 ? Thank you for reporting this!

 

[Richard G]

Looks fine, did not see any errors anymore on the new server, except some error that config.in is not used anymore and config.ap should be used or something like that (or the other way around). It passed to fast for me.

 

[Active8]

Error is gone, thank you

 

[Richard G]

@smtalk This was the error line, I could copy it when updating a slow vps.
Might be something from apache itself, but just placing it here to be sure/reference:

aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'

 

[carpin]

Same

Configuring httpd-2.4.43
aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
checking for chosen layout... Apache

VPS
CentOS 7.7.1908
DirectAdmin 1.60.4
CB 2458

 

[wattie]

aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'

It's just a warning, not an error. And it's from the Apache source code.

 

[Richard G]

Oke I wasn't sure where it came from. In that case we can safely ignore it.
Thank you,.