Apache 2.4.51 and earlier vulnerabilities

Keywords: WordPress Multisite - Virtual Machines - How to - Services (Apache, MariaDB, MySQL…)

Description:

I am running a Bitnami WordPress multisite stacks installed on an Azure Virtual Machine.
My stack is running Apache 2.4.43. There have been two recently disclosed vulnerabilites that affect Apache versions 2.4.7 - 2.4.51.

They are reported on Apaches website: CVE-2021-44224 and CVE-2021-44790
https://httpd.apache.org/security/vulnerabilities_24.html

The most up-to-date version of the WordPress Multisite offered for Azure VMs deploys with Apache 2.4.51, which is still vulnerable to both issues.

Will you be releasing a patch for your WP Multisite stack? Do you know if the default Apache configuration is vulnerable to either?
I am not running a forward proxy, so I think I would only be vulnerable to the 2nd exploit. I don’t see mod_lua in the list of installed modules,
so I am safe to assume the stack isn’t vulnerable to that exploit either?

Hello @rd-webmaster,

The default configuration is not affected, and we are not including mod_lua, so you are safe. Anyway, we are working on a new release that will ship Apache 2.4.52. Hopefully, it will be released today.

Regards

Hello,

Can I also check when the related updates will be out for the Redmine Stack as well?

Thank you so much for your timely reply. I will plan to migrate to the new release shortly, but it’s good to know my current stack is safe!

Hi @acerace,

The latest version of Redmine already ships Apache 2.4.52.

Regards

Hi @davidg,

Can I check which update this was? As of right now I’m seeing that the last Apache Upgrade on Bitnami Redmine was on v4.2.3-0, shipping Apache 2.4.51. Newer versions have not upgraded Apache, at least not according to the changelogs.

Thanks a lot.

Hello @acerace,

Redmine 4.2.3-3 ships Apache 2.4.52.
https://bitnami.com/stack/redmine/installer

Regards

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.