• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue All Domains Apache2/Error 500

Hi, I'm runnging Plesk Obsidian 18.0.38 Update 2 on Debian 9.13 and the following updates are available:
apache2 2.4.25-3+deb9u11
apache2-bin 2.4.25-3+deb9u11
apache2-data 2.4.25-3+deb9u11
apache2-utils 2.4.25-3+deb9u11

Is it safe to update or should I wait?

Version 2.4.25-3+deb9u11 contains the fix for UDS paths (see [Apache-SVN] Revision 1893519) so it should be safe to update, it should not break anything.

In case of problems you can downgrade again as follows:
# export version="2.4.25-3+deb9u10"; apt-get install apache2=$version apache2-utils=$version apache2-data=$version apache2-bin=$version
 
  • Like
Reactions: mow
Version 2.4.25-3+deb9u11 contains the fix for UDS paths (see [Apache-SVN] Revision 1893519) so it should be safe to update, it should not break anything.

In case of problems you can downgrade again as follows:
# export version="2.4.25-3+deb9u10"; apt-get install apache2=$version apache2-utils=$version apache2-data=$version apache2-bin=$version

I updated all the apache packages, everything works as expected.

All the updates where from deb9u10 to deb9u11.
 
Thanks... this confirms my "fears". Now I'm puzzled about completely disabling all security updates too - I know it's clearly not recommended, but it's unacceptable to lose an entire server overnight like that
Thing is, missing security updates could mean losing the server to someone else, and that would be worse than some downtime.
 
If anyone has updated to Apache 2.4.49 or 2.4.50, please update to 2.4.51 right away. There are a couple of security vulnerabilities on Apache 2.4.49. These warnings are being sent out on the Apache mailing list:

CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49​

Severity: important

Description:

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.

If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.

This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.

CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing​

Severity: moderate

Description:

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing,
allowing an external source to DoS the server. This requires a specially crafted request.

The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.

Mitigation:

Disable the HTTP/2 protocol.

______________________________________

The links provided explain that these vulnerabilities are fixed, the latter in Apache 2.4.50 and the former in Apache 2.4.51:


Thus I would recommend updating immediately to Apache 2.4.51 if you have updated to Apache 2.4.49 or 2.4.50 in the meantime.
 
Back
Top