[URGENT]apache 2.2.20 exploit[URGENT]

**sam500** · 17-07-2012, 06:46 PM

Hi a friend told me that there is a exploit on version 2.2.20-2.2.21 that lets a hacker assign a cookie code to website address and then it crashes the apache/server heres what apache.org website noted

CVE-2012-0021

A flaw was found in mod_log_config. If the '%{cookiename}C' log format string is in use, a remote attacker could send a specific cookie causing a crash. This crash would only be a denial of service if using a threaded MPM.

Reported to security team: 30th December 2011

Issue public: 28th November 2011

Update released: 31st January 2012

Affected: 2.2.21, 2.2.20
http://httpd.apache.org/security/vul...lities_22.html
Affected: 2.2.21, 2.2.20

so i hope you guys can fix a apache 2.2.22 upgrade .sh file asap that lets all zpanelx users upgrade their apache in easy steps

**VJftw** · 17-07-2012, 07:01 PM

erm.. isn't apache automatically updated via the system upgrade?
mines at 2.2.22
for ubuntu run

Code:

sudo apt-get update
sudo apt-get upgrade

then press Y to update packages

**sam500** · 17-07-2012, 07:05 PM

ty for tip but when i did following commands it did not update my apache to 2.2.22

i'm still on 2.2.20 also im on ubuntu 11.10

**VJftw** · 17-07-2012, 07:56 PM

you might be better off upgrading to 12.04 as it offers long term support and the stock repositories that contain the latest apache versions (I THINK)

to upgrade:
From 11.10 to 12.04
To upgrade from Ubuntu 11.10 on a server system, follow the steps listed below:

Install the update-manager-core package (if it is not already installed).

Run sudo do-release-upgrade to launch the upgrade tool.

Follow the on-screen instructions.
Note that the server upgrade is now more robust and will utilize GNU screen and automatically re-attach in case of dropped connection problems, for example.

**sam500** · 17-07-2012, 09:31 PM

ty but upgrade had tons of error for odd reason :/ so now it's messed up

**VJftw** · 18-07-2012, 11:52 AM

hmm, interesting. what were the errors in relation to? if you can then, you may have to back up your hostdata and start a clean install for 12.04

**sam500** · 18-07-2012, 02:38 PM

i found what caused error it was main vps kernel having 2.6.18 but ubuntu 12.04 needs 2.6.42 so upgrade failed untill kernel gets upgraded to 2.6.42 then upgrade process will continue.

**VJftw** · 18-07-2012, 11:16 PM

doesn't the kernel get updated during installation?

hmmm. i would've also thought it got updated during the apt-get upgrade

you have root access right?

**sam500** · 19-07-2012, 04:25 PM

well no if it's a VPS then main vps dedi requires kernel to be updated since vps runs on main dedi os kernel shared with other vps but with plain dedi you can upgrade kernel.