possible vuln to patch in Apache HTTP Server? (version 2.4.51 and earlier)

mmerlin

mmerlin

Verified User
Joined
Jul 26, 2004
Messages
75
Location
Melbourne, Australia
Hi, are these two new vulnerabilities of any concern for plain vanilla installs of standard DA? (Apache+NGINX for httpd)

threatpost.com

Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS

Don't freak: It's got nothing to do with Log4Shell, except it may be just as far-reaching as Log4j, given HTTPD's tendency to tiptoe into software projects.
threatpost.com threatpost.com

CVE-2021-44790: Possible buffer overflow when parsing a carefully crafted request in the mod_lua multipart parser of Apache HTTP Server 2.4.51 and earlier.

CVE-2021-44224: Possible NULL dereference or Server Side Request Forgery (SSRF) in forward proxy configurations
 
mmerlin said:
Hi, are these two new vulnerabilities of any concern for plain vanilla installs of standard DA? (Apache+NGINX for httpd)
Click to expand...

Apache 2.4.52

2 CVE's updates this version *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A carefully crafted request body can cause a buffer overflow in the mod_lua multipart...
forum.directadmin.com forum.directadmin.com
Please be careful with updates while to many problems ....?


No answer but @DirectAdmin Support take care of the "many" httpd problems please?

apache 2.4.49,2.4.52 strange unreachable after pass few hours

Do you have CSF firewall running on your server? All our servers are installed with CSF by default, so yes
forum.directadmin.com forum.directadmin.com
 
ikkeben said:
Please be careful with updates while to many problems ....?
Click to expand...
Some do have issues, some don't. I also don't have issues. People with issues can easily revert. And at this moment people need to use the custom setting to upgrade to 2.4.52.

You can read in the other thread that DA does not use mod_lua by default.
 
Richard G said:
You can read in the other thread that DA does not use mod_lua by default.
Click to expand...

Ah ha thanks!

Good to know we are not vuln by default

Apache 2.4.52

2 CVE's updates this version *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A carefully crafted request body can cause a buffer overflow in the mod_lua multipart...
forum.directadmin.com forum.directadmin.com
 
You must log in or register to reply here.
Back
Top