Vulnerability Apache2

on Univention 4.4 or 5.0 using apache2 old version , ucs 4.4 using apache 2.4.25 have a vulnerability CVE-2017-7668 , how to solve it , to avoid vulnerability on my environment?
can i update apache2 to latest version 2.4.48 and system running succes?

Hello,

CVE-2017-7668 was patched via Errata 4.2-3.324. Please note that the version numbering can differ, so to see if a vulnerability persits I would recommend to search for it like so:
https://errata.software-univention.de/#/?search=CVE-2017-7668

Best regards

2 Likes

tank you sir, sorry mistake , my vulnerability is a CVE-2021-31618 Apache 2.4.x < 2.4.48 Vulnerability

"The version of Apache httpd installed on the remote host is prior to 2.4.48. It is, therefore, affected by a
vulnerability as referenced in the 2.4.48 changelog.

  • mod_http2: Fix a potential NULL pointer dereference (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version
number."

Installed version : 2.4.25
Fixed version : 2.4.48

on univention 4.4 , latest version apache2 2.4.25, nessus suggest me to update apache2 2.4.48, can i do it ?

As I advised you should search for the CVE in the errata search, so for CVE-2021-31618 this would be https://errata.software-univention.de/#/?search=CVE-2021-31618
As you can see, the vulnerability was fixed with errata 5.0-0.45 for UCS 5 and errata 4.4-8.1008 for UCS 4.

Nessus indicates that it only checked the package version number:

So the vulnerability was patched and there is no need to update the package as the version number does not indicate the patch level.

4 Likes

thank you very helpful

1 Like

There was a new apache vuln published with the CVE-2021-41773. Is there any estimated errata update for closing this?

CVE-2021-41773 only affects Apache 2.4.49 and not earlier versions. UCS4 still uses Apache 2.4.25 and UCS5 Apache 2.4.38.

1 Like

2.4.38 is also known for multiple Vulnerabilities like CVE-2020-11984. So there is no ETA for 2.4.50?

its already fixed in 2.4.38-3+deb10u5A see

https://security-tracker.debian.org/tracker/CVE-2020-11984

the Problem with this approach is, that there are customers which want to have security notifications sent on regular scans… if we handle it like this… we always need to recheck on each added vulnerability (added to nessus DB)…

Please do not duplicate your posts as this topic is already resolved. I have answered in your original post: https://help.univention.com/t/apache-needs-to-be-updated-more-regularly

Mastodon