Let it Bleed
Phew - our freshly updated Debian 10 based servers are still on 2.4.38.
No edgy nervous breakdowns for us.
The Apache Software Foundation has hurried out a patch to address a pair of HTTP Web Server vulnerabilities, at least one of which is already being actively exploited. Apache's HTTP Server is widely used, and the vulnerabilities, CVE-2021-41524 and CVE-2021-41773, aren't great. The latter, a path traversal and file disclosure …
Same for our internal VisualSVN Server!
Glad to see that isn't vulnerable. It's not a shadow IT installation, but its pretty far in the shade (tacitly supported by local IT on one of the few in-house servers left, maintained by an Engineering group, if corporate IT took notice, it'd go away because they're in "everything to the cloud" mode).
Would be surprised if more than 0.01% of apache servers out there run that latest(affected) version. Ubuntu 20 for example runs 2.4.41. Can't remember the last time I felt a need to upgrade apache(as in to get some feature or specific fix for an issue I had), I mean it's done everything I need going back to what was it 1.3 version or maybe even earlier. Last time I built apache from source was probably late 90s.
This post has been deleted by its author
Having run Apache for about 18 years at home, and built from source in the last 12 years, the default httpd.conf has (ignore blank lines):
Require all denied
Unless you override this then you need to know what you doing (or not, it seems if some people are being hit with this).