Apache vulnerability CVE-2020-11993

Hello I’m running UCS version 5.0-2 errata492 with nextcloud 24.0.7-1

We had a security audit and the guy told us that our server is running Apache 2.4.38 which is vulnerable by this CVE-2020-11993. He recommends us to upgrade Apache to version 2.4.54 or higher

Anyone can help me with that please. Anyone upgrade Apache without the UCS GUI

Here is the output on my server
root@cloud:~# dpkg -l | grep apache
ii apache2 2.4.38-3+deb10u8A~ amd64 Apache HTTP Server
ii apache2-bin 2.4.38-3+deb10u8A~ amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.38-3+deb10u8A~ all Apache HTTP Server (common files)
ii apache2-suexec-pristine 2.4.38-3+deb10u8A~ amd64 Apache HTTP Server standard suexec program for mod_suexec
ii apache2-utils 2.4.38-3+deb10u8A~ amd64 Apache HTTP Server (utility programs for web servers)
ii libapache2-mod-authnz-pam 1.2.0-1 amd64 PAM authorization checker and PAM Basic Authentication provider
ii libapache2-mod-php7.0 7.0.33-0+deb9u10 amd64 server-side, HTML-embedded scripting language (Apache 2 module)
ii libapache2-mod-php7.3 7.3.31-1~deb10u1 amd64 server-side, HTML-embedded scripting language (Apache 2 module)
rc libapache2-mod-wsgi 4.5.11-1 amd64 Python WSGI adapter module for Apache
ii libapache2-mod-wsgi-py3 4.6.5-1+deb10u1 amd64 Python 3 WSGI adapter module for Apache
ii univention-apache 12.0.1-1A~ all UCS - Apache2 configuration
ii univention-apache-vhost 12.0.1-1A~ all UCS - Apache2 vhost

Thanks !

your apache2 is already patches for this
see CVE-2020-11993

1 Like

Ha thanks for the link i appreciate it !

My normal advise is to go to https://errata.software-univention.de/ and there search for the CVE yourself. In your case that will not find an erratum.

Next would be go to our bug-tracker and search there; begin the search with ALL to extend the search to already closed bugs. Bug again: nothing.

Next is to look at Debian as UCS is based on it: There CVE-2020-11933 is listed as fixed in version 2.4.38-3+deb10u4; please note that it is Debians policy to not upgrade a package to the latest version but to backport the fix to the older version which was released with Debian-10-Buster; this is done by Debian to guarantee ABI stability as upgrading to a newer version might break other things.

That version also explains why there is no erratum from UCS as 5.0-0 was already releases with version 2.4.38-3+deb10u4; erratum 45 for apache2 was already for the later version 2.4.38-3+deb10u5.

So UCS 5.0-0 and later are already safe from CVE-2020-11993.

PS: Debians policy to backport fixes to older versions breaks most security scanners as they only check for the latest upstream version and do not know anything about backports to older versions.