Issue All Domains Apache2/Error 500

[Monty]

Hi, I'm runnging Plesk Obsidian 18.0.38 Update 2 on Debian 9.13 and the following updates are available:
apache2 2.4.25-3+deb9u11
apache2-bin 2.4.25-3+deb9u11
apache2-data 2.4.25-3+deb9u11
apache2-utils 2.4.25-3+deb9u11

Is it safe to update or should I wait?

Version 2.4.25-3+deb9u11 contains the fix for UDS paths (see [Apache-SVN] Revision 1893519) so it should be safe to update, it should not break anything.

In case of problems you can downgrade again as follows:
# export version="2.4.25-3+deb9u10"; apt-get install apache2=$version apache2-utils=$version apache2-data=$version apache2-bin=$version

 

[Akrolis]

Version 2.4.25-3+deb9u11 contains the fix for UDS paths (see [Apache-SVN] Revision 1893519) so it should be safe to update, it should not break anything.

In case of problems you can downgrade again as follows:
# export version="2.4.25-3+deb9u10"; apt-get install apache2=$version apache2-utils=$version apache2-data=$version apache2-bin=$version

I updated all the apache packages, everything works as expected.

All the updates where from deb9u10 to deb9u11.

 

[kama]

@kama Yes, it should be safe. The 2.4.41-4 release contains the bugfix for the UDS URIs, see: 2.4.41-4ubuntu3.6 : apache2 package : Ubuntu

thank you!

 

[mow]

Thanks... this confirms my "fears". Now I'm puzzled about completely disabling all security updates too - I know it's clearly not recommended, but it's unacceptable to lose an entire server overnight like that

Thing is, missing security updates could mean losing the server to someone else, and that would be worse than some downtime.

 

[kama]

Hi, I confirm that the updates have not caused any damage!

 

[johnrdorazio]

If anyone has updated to Apache 2.4.49 or 2.4.50, please update to 2.4.51 right away. There are a couple of security vulnerabilities on Apache 2.4.49. These warnings are being sent out on the Apache mailing list:

CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49​

Severity: important

Description:

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.

If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.

This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.

CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing​

Severity: moderate

Description:

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing,
allowing an external source to DoS the server. This requires a specially crafted request.

The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.

Mitigation:

Disable the HTTP/2 protocol.

______________________________________

The links provided explain that these vulnerabilities are fixed, the latter in Apache 2.4.50 and the former in Apache 2.4.51:

Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

Thus I would recommend updating immediately to Apache 2.4.51 if you have updated to Apache 2.4.49 or 2.4.50 in the meantime.