Issue Apache CVE-2021-44224 / 44790

[simon jiang]

Hello, everyone, my mother tongue is not English. If I am not sure about the expression, I apologize to you.

Apache has released new vulnerabilities and patched versions. Does this vulnerability affect Plesk?
If so, when will the Plesk update package be released?

Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

 

[learning_curve]

Apache has released new vulnerabilities and patched versions. Does this vulnerability affect Plesk?
If so, when will the Plesk update package be released?

This is an OS problem, not a Plesk problem.

In our case, Ubuntu will backport the fixes to the Apache release that they used for each of their OS releases, but in due course...
They haven't done that yet (at the time of this post) but they will / normally always do

CVE-2021-44224 | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

ubuntu.com

CVE-2021-44790 | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

ubuntu.com

So, you'll need to follow this up with whichever OS you're using.

 

[simon jiang]

This is an OS problem, not a Plesk problem.

In our case, Ubuntu will backport the fixes to the Apache release that they used for each of their OS releases, but in due course...
They haven't done that yet (at the time of this post) but they will / normally always do

CVE-2021-44224 | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

ubuntu.com

CVE-2021-44790 | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

ubuntu.com

So, you'll need to follow this up with whichever OS you're using.

Sorry, I would like to ask you again, my OS is CentOS: 7.7.1908
Apache/2.4.6 (CentOS)

Is there a way to upgrade to Apache 2.4.52?

 

[learning_curve]

~~ my OS is CentOS: 7.7.1908 Apache/2.4.6 (CentOS)

Is there a way to upgrade to Apache 2.4.52?

As stated previously and confirmed in our forum sig, we use Ubuntu for OS, we don't use CentOS, so we can't answer this question sorry.
Plesk supports Apache 2.4 as stated here: Software Requirements for Plesk Onyx
However, your actual question... is about Apache 2.4 updates, when using CentOS as the OS on your server.
Other Plesk users who also use CentOS might post an answer here, but you should really follow this up on CentOS forums first of all.

 

[Monty]

Redhat (the upstream of CentOS 7) backports security vulnerabilities to their packages, but the software version will not change:

What is backporting, and how does it apply to RHEL and other Red Hat products?

Version numbers are important, but aren't always what they seem at first glance. Red Hat, for example, often backports updates to the software we ship in Red Hat Enterprise Linux (RHEL) to maintain the version that we shipped.

www.redhat.com

Regarding CVE-2021-44224, please see here:

cve-details

access.redhat.com

So to summarize: Apache httpd that comes with CentOS 7 is not affected.

 

[simon jiang]

Redhat (the upstream of CentOS 7) backports security vulnerabilities to their packages, but the software version will not change:

What is backporting, and how does it apply to RHEL and other Red Hat products?

Version numbers are important, but aren't always what they seem at first glance. Red Hat, for example, often backports updates to the software we ship in Red Hat Enterprise Linux (RHEL) to maintain the version that we shipped.

www.redhat.com

Regarding CVE-2021-44224, please see here:

cve-details

access.redhat.com

So to summarize: Apache httpd that comes with CentOS 7 is not affected.

Thank you for your reply, sorry for the trip last week, I will continue to look for answers, and I will share with you new information. thank you all.