Dated 2021 okt 9, Apache 2.450 has patched a serious vulnerability, advised to update to 2.4.51.
Advised to take the server down if not patched.
Updating to NC
21.0.5, followed by apt-get update/upgrade plus reboot
Cheking version : Apache 2.4.38 (Raspbian)
Is the proposed patch applied to the Raspian version
If not: how to upgrade to the proposed Apache version
Thanks a lot in advance
In Debian security fixes generally get backported to the current version. Therfore the main version number of a package never changes within a Debian release. The relevant number in Debian to be sure you’re on the latest patch version of a package, is the one after the + sign. In this case 2.4.38-3+
Also older versions of Apache weren’t affected by this particular bug. Therfore no patch was nededed for 2.4.38. See here for details…
Thanks for that detailed answer.
Dpkg log show 2.4.38-3+ deb10u6
I presume thats the latest
Yes, otherwise apt should offer you a newer version. To be absolutley sure you have the newest version of a specific package installed, you could also use the Debian package search…
In case of the apache2 package 2.4.38-3+
deb10u6 is the latest version for Buster
Vulnerability is fixed
not related to initial posting but to keep things together:
Docker image is not patched now (but using older Apache is not affected by CVE-2021-41773)
relevant Issue on Github:
03:11AM - 06 Oct 21 UTC
I am using the `nextcloud-apache` image and got a little bit nervous after heari