At noon today, I saw the netizens in the group discussing the new version of Apache HTTP Server 2.4.51 It is released and recommended to update and upgrade. If a server is using an earlier version, it may need to upgrade its security. This version involves security vulnerabilities. The patch CVE-2021-41773 for Apache HTTP 2.4.50 was not completely fixed, resulting in a new vulnerability CVE-2021-42013. Attackers can use instructions similar to aliases to configure traversal attacks that map URLs to files outside the directory.
This can cause files outside the directory to bypass the default "require all denied" configuration, resulting in traversal of these files. If the CGI script path is enabled for these aliases, remote code execution can be performed.
Affected version:
This vulnerability affects Apache 2.4.49 and Apache 2.4.50. If it is an earlier version, it will not be affected. Therefore, sometimes we are safe without upgrading. Of course, it is better to keep the latest version.
Fix the problem:
Apache HTTP Server 2.4.51 has been released. 2.4.51 mainly fixes the security problems found in 2.4.50, so the main changes are in 2.4.50, including fixing security problems and some bugs, and enhancing functions.
1. Mod_rewrite: fix the UDS ("unix:") scheme of the [P] rule
2. Event mpm: If the child process stops due to MaxConnectionsPerChild, the active child process in the parent process can be correctly calculated
3. Mod_http2: When a server is gracefully restarted, any idle h2 worker thread will be immediately shut down. In addition, for the abandonment of OpenSSL 3.0, the usage mode of OpenSSL API has been changed and all others have been added.
4. Mod_dav: correctly handle the error returned by the dav providers in the REPORT request
5. Core: Do not install core I/O filters on secondary connections
6. Core: Add ap_pre_connection() as the wrapper of ap_run_pre_connection() to prevent the failure of running the pre_connection hook from causing post crash
7. Mod_speling: add CheckBasenameMatch PR 44221
If we need to upgrade, pay attention to data backup.
Scan the code to follow the official account
Get more news about webmaster circle!
Entrepreneurship, operation and new knowledge