Apache Vulnerability dated 2021-10-08 patched in NC?

Hello all

Dated 2021 okt 9, Apache 2.450 has patched a serious vulnerability, advised to update to 2.4.51.
Advised to take the server down if not patched.

Updating to NC 21.0.5, followed by apt-get update/upgrade plus reboot
Cheking version : Apache 2.4.38 (Raspbian)

  1. Is the proposed patch applied to the Raspian version
  2. If not: how to upgrade to the proposed Apache version

Thanks a lot in advance

Hi @willhelm

In Debian security fixes generally get backported to the current version. Therfore the main version number of a package never changes within a Debian release. The relevant number in Debian to be sure you’re on the latest patch version of a package, is the one after the + sign. In this case 2.4.38-3+deb10u5

Also older versions of Apache weren’t affected by this particular bug. Therfore no patch was nededed for 2.4.38. See here for details…


Hello bb77
Thanks for that detailed answer.
Dpkg log show 2.4.38-3+deb10u6
I presume thats the latest

Yes, otherwise apt should offer you a newer version. To be absolutley sure you have the newest version of a specific package installed, you could also use the Debian package search…


In case of the apache2 package 2.4.38-3+deb10u6 is the latest version for Buster


Thats confirmative


Vulnerability is fixed

Thanks !

1 Like

not related to initial posting but to keep things together: Docker image is not patched now (but using older Apache is not affected by CVE-2021-41773)

relevant Issue on Github: