# Availability Apache 2.4.50 as package



## hbauer (Oct 5, 2021)

Based on previous situations like this when can we expect to get the new 2.4.50 Apache server in the pkg repos?


----------



## Alexander88207 (Oct 5, 2021)

Hello hbauer,

the newer version have been committed to the latest and the default (quarterly repo) 10 hours ago.

A package with the new version is expected in a week or less.


----------



## SirDice (Oct 5, 2021)

A new quarterly branch was just made, it's going to take a while to get that to build on various different versions and architectures. Meanwhile latest is churning away on the build clusters nearly constantly too. 

You can keep track of the builds on https://ci.freebsd.org/ and https://pkg-status.freebsd.org/

Once the builds are completed they have to be synced to the mirrors, that's going to take a bit of time too, there's quite a lot to sync up now.


----------



## richardtoohey2 (Oct 5, 2021)

I've got a few servers being hit by this already from quite a few IPs - so it's definitely out there - the default Apache config _seems_ to protect against the attack with "Require all denied" on the root directory.

But if that's not enough please say so!


----------



## Tieks (Oct 5, 2021)

Many attempts indeed, since a few hours. 
From httpd-access.log: 167.71.13.196 - - [05/Oct/2021:21:05:25 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 403 199
From httpd-error.log: [Tue Oct 05 21:05:25.362825 2021] [authz_core:error] [pid 12127] [client 167.71.13.196:19272] AH01630: client denied by server configuration: /etc/hosts


----------



## _martin (Oct 5, 2021)

Yop, if you can't find any PoC anywhere looking at your logs is a good place to start.

`curl http://172.31.1.200//cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
# $FreeBSD$
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:`
As you mentioned Tieks, doesn't work on a default installation.
Bug fix is here. Already in ports.


----------



## SirDice (Oct 5, 2021)

If you want that new version NOW, build it from ports. The port has been updated already.


----------



## Tieks (Oct 6, 2021)

_martin said:


> doesn't work on a default installation.


Correct. The new port version is 2.4.50. I'm running 2.4.49, that version has the security update too. See http://httpd.apache.org/security/vulnerabilities_24.html for details.
As richardtoohey2 already pointed out, setting "require all denied" blocks it. So you need to have that setting in place on older versions.

An attacker needs to guess the name of a subdirectory to docroot and the number of directories to go up. So this is yet another good case for using non-standard directory names.


----------



## _martin (Oct 6, 2021)

It's about the security set on / (default is ok) and possibly other directories used, not about the directory names. Crawler can resolve the directory name fairly easy. 
But yeah, as I said above, already in ports.


----------



## richardtoohey2 (Oct 8, 2021)

2.4.50 has issues, there's a 2.4.51 already: https://dlcdn.apache.org//httpd/CHANGES_2.4.51

It's in FreeBSD ports.


----------

