If anyone has updated to Apache 2.4.49 or 2.4.50, please update to 2.4.51 right away. There are a couple of security vulnerabilities on Apache 2.4.49. These warnings are being sent out on the Apache mailing list:
CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
Severity: important
Description:
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing
Severity: moderate
Description:
While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing,
allowing an external source to DoS the server. This requires a specially crafted request.
The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
Mitigation:
Disable the HTTP/2 protocol.
______________________________________
The links provided explain that these vulnerabilities are fixed, the latter in Apache 2.4.50 and the former in Apache 2.4.51:
Thus I would recommend updating immediately to Apache 2.4.51 if you have updated to Apache 2.4.49 or 2.4.50 in the meantime.
Facebook
Twitter
