httpd 2.4.49

[cjd]

Update released:

Apache HTTP Server CVE-2021-41773 Exploited in the Wild | Rapid7 Blog

On Monday, October 4, 2021, Apache published an advisory on an unauthenticated remote file disclosure vulnerability in the HTTP Server version 2.4.29.

www.rapid7.com

https://downloads.apache.org/httpd/CHANGES_2.4.51

 

[k1l0b1t]

it's out on CB as well

 

[Richard G]

I've got on one server after updating:

Restarting apache.
Job for httpd.service invalid.

On another server:

Restarting apache.
Job for httpd.service canceled.

So one invalid on one server and one job canceled on the other.

All seems to work fine, if I manually restart http this notice is not appearing anymore. Any idea's where it was coming from?

 

[Ohm J]

@Richard G
sometime I see apache restart with leave a token "|PORT_80|" around line 34 inside httpd.conf, so this make failed restart

maybe cause by long running restart jobs on failed ?

but it still success when end jobs (it 2 restart apache)

 

[Richard G]

Thank you.
Well it did restart correctly, at least everything was running. It didn't run that long either because yesterday I updated to 2.4.50 so it ran only one day.
But as long as I don't need to worry, I don't mind.

 

[Kal]

Where is the DA team on this? No updates? CB issued a rollback update, but no communication.

I agree, it would have been great to have some communication from DA about the downgrade to 2.4.48. Since 2.4.49 was working for me, I temporarily silenced the upgrade notifications. Mistake. It turns out both 2.4.49 and 2.4.50 had a critical security vulnerability that didn't affect earlier versions. 2.4.51 fixes it.