Hello all
Dated 2021 okt 9, Apache 2.450 has patched a serious vulnerability, advised to update to 2.4.51.
Advised to take the server down if not patched.
Updating to NC 21.0.5, followed by apt-get update/upgrade plus reboot
Cheking version : Apache 2.4.38 (Raspbian)
Thanks a lot in advance
Willhelm
Hi @willhelm
In Debian security fixes generally get backported to the current version. Therfore the main version number of a package never changes within a Debian release. The relevant number in Debian to be sure you’re on the latest patch version of a package, is the one after the + sign. In this case 2.4.38-3+deb10u5
Also older versions of Apache weren’t affected by this particular bug. Therfore no patch was nededed for 2.4.38. See here for details…
Hello bb77
Thanks for that detailed answer.
Dpkg log show 2.4.38-3+deb10u6
I presume thats the latest
Thanks
Willhelm
Yes, otherwise apt should offer you a newer version. To be absolutley sure you have the newest version of a specific package installed, you could also use the Debian package search…
https://packages.debian.org/index
In case of the apache2 package 2.4.38-3+deb10u6 is the latest version for Buster
https://packages.debian.org/search?keywords=apache2&searchon=names&suite=buster§ion=main
Thats confirmative
https://security-tracker.debian.org/tracker/CVE-2021-42013
Buster/Security
Vulnerability is fixed
Thanks !
Willhelm
not related to initial posting but to keep things together: Docker image is not patched now (but using older Apache is not affected by CVE-2021-41773)
relevant Issue on Github: