Apache2 - 2.4.62
Keith
keithw at caramail.com
Tue Apr 29 02:05:54 UTC 2025
On 4/28/25 7:27 PM, Jerry Geis wrote:
>
>
> On Mon, Apr 28, 2025 at 5:24 PM Robert Heller <heller at deepsoft.com
> <mailto:heller at deepsoft.com>> wrote:
>
>
>
> At Mon, 28 Apr 2025 16:30:16 -0400 "Ubuntu user technical support,?
> not for general discussions" <ubuntu-users at lists.ubuntu.com
> <mailto:ubuntu-users at lists.ubuntu.com>> wrote:
>
> >
> > On Mon, Apr 28, 2025 at 4:14 PM Colin Law <clanlaw at gmail.com
> <mailto:clanlaw at gmail.com>> wrote:
> >
> > > On Mon, 28 Apr 2025 at 19:04, Jerry Geis <jerry.geis at gmail.com
> <mailto:jerry.geis at gmail.com>> wrote:
> > >
> > >>
> > >> Curious - Why the updated apache would not be in the normal
> "update"
> > >> process. Especially since there is a CVE for it.
> > >> Why would I have to load a different repo ?
> > >>
> > >
> > >
> > > Which CVE is that? If it is serious then I would expect it to
> be patched
> > > in the official Ubuntu release.
> > >
> > > Colin L.
> > >
> > > --
> > > ubuntu-users mailing list
> > > ubuntu-users at lists.ubuntu.com <mailto:ubuntu-
> users at lists.ubuntu.com>
> > > Modify settings or unsubscribe at:
> > > https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> <https://lists.ubuntu.com/mailman/listinfo/ubuntu-users>
> >
> >
> > one of them was CVE-2024-36387
> > The website (https://ubuntu.com/security/CVE-2024-36387 <https://
> ubuntu.com/security/CVE-2024-36387>) says fixed - but
> > the scan was flagging it as an issue.
> >
> > When I did "apache2 --version" this did not show
> 2.4.58-1ubuntu8.2 (which
> > is there version saying it was fixed in)
> > only 2.4.58
>
> "apache2 --version" is not likely to show the Ubuntu package version.
>
> What does:
>
> dpkg-query -l apache2
>
> show?
>
> >
> > Jerry
> >
>
> --
> Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364
> Deepwoods Software -- Custom Software Services
> http://www.deepsoft.com/ <http://www.deepsoft.com/> -- Linux
> Administration Services
> heller at deepsoft.com <mailto:heller at deepsoft.com> -- Webhosting
> Services
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com <mailto:ubuntu-users at lists.ubuntu.com>
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/
> listinfo/ubuntu-users <https://lists.ubuntu.com/mailman/listinfo/
> ubuntu-users>
>
>
>
> Server version: Apache/2.4.58 (Ubuntu)
>
> Server built: 2025-04-03T14:36:49
>
> root at lsi008a:~# dpkg-query -l apache2
>
> Desired=Unknown/Install/Remove/Purge/Hold
>
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/
> Trig-pend
>
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
>
> ||/ Name Version Architecture Description
>
> +++-==============-=================-============-
> =================================
>
> iiapache22.4.58-1ubuntu8.6 amd64Apache HTTP Server
>
>
> So does the "scan" tool not know the actual version ?
>
> Jerry
>
Majority of packages in any of the archives don't get version bumps to
fix bugs security related or not. What usually happens are security
patches get backported to the existing version in the archive. The
update is to the package version rather than the program version.
Use "apt changelog apache2" to see what changes have been made to the
apache2 package and see what security patches have been applied to fix
the relevant CVEs.
$ apt changelog apache2
...
apache2 (2.4.58-1ubuntu8.2) noble-security; urgency=medium
* SECURITY UPDATE: null pointer dereference when serving WebSocket
protocol upgrades over a HTTP/2
- debian/patches/CVE-2024-36387.patch: early exit if bb is null in
modules/http2/h2_c2.c.
- CVE-2024-36387
That update with the security fix for CVE-2024-36387 (among others) was
released July 4, 2024. If your scanner is simply checking for a newer
program version to see if program is vulnerable or not, then it's going
to give false positives for vulnerabilities even though apache2 was
patched to fix them.
--
Keith
More information about the ubuntu-users
mailing list