In regards to a nasty Apache bug discovered in the last few weeks… (effecting ALL Apache versions on all OS)
I’m using ubuntu 8.04LTS, I’ve been keeping my eyes peeled for a virtualmin update beyond Apache 2.2.8-12vm.ubuntu0.19 but haven’t seen anything yet…
Anyone know what action is being done in relation to:
I know Joe’s been working on the packages regarding that flaw… I don’t see them in there yet, but they should be available soon.
If you don’t see them within a day, feel free to post a support request using the support tracker regarding that.
-Eric
The packages should be in the repositories now, let us know if you run into any problems!
-Eric
I have updated (and restarted Apache).
However there is a site here which claims to be able to test for this vulnerability:
http://apache-range-exploit.com/
When I tried one of my virtualmin domain URLs, it reported I was still vulnerable. They say:
“This means that the script thinks that your site is vulnerable based on checking for a set of 20 ranges.”
I have also seen that you can test for the vulnerability as follows:
(example.com is a domain on the server you wish to test)
If you see message 206 Partial Content in output - your Apache is vulnerable.
(This comes from the Plesk people)
The good news is that my Virtualmin server seems to pass this test.
I have two old Plesk servers still that have not been patched and those fail that test.
So the Virtualmin patch seems to have done something!
All my servers show Apache/2.2.3 for httpd -v.
Howdy,
Well, the Apache version you see would depend on the distro you’re using there.
However, what Virtualmin does to make those Apache versions available is to just grab the version provided by CentOS or Ubuntu, tweak where the suexec path points, and pushes them up into the Virtualmin repository.
So, as long as they’re the same version as the most recent Apache version provided by your distribution, you should be good to go!
-Eric