Ähm, forgot the used software: running on Centos 7.4.1708 /
httpd-2.4.6-67 / mod_fcgid-2.3.9-4
Am 21.09.2017 um 14:25 schrieb Thomas Plant:
Hello all,
I have setup a Webserver and see a lot of the following errors:
[Wed Sep 20 16:28:48.332977 2017] [fcgid:warn] [pid 14969:tid
Hello all,
I have setup a Webserver and see a lot of the following errors:
[Wed Sep 20 16:28:48.332977 2017] [fcgid:warn] [pid 14969:tid
140600728618752] (32)Broken pipe: [client x.x.x.x:55994] mod_fcgid:
ap_pass_brigade failed in handle_request_ipc function, referer:
http://example.com/
thank you, Eric.
I did it
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
" do_redirect");
r->hostname = "google.com";
ret = r->unparsed_uri;
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
" do_redirect 111");
ret =
CVE-2017-9789 is a pure mod_http2 issue. If the protocol is not enabled, it
does not trigger. (You could even load the module without exposing the server
to the vulnerability)
You need to upgrade at least mod_http2 to a newer version.
Hope that clarifies it.
Cheers,
Stefan
> Am 21.09.2017
Hey all,
Under FreeBSD, mod_http2 is not compiled by the ports tree by default.
Are we still vulnerable to this?
Is there any mitigation strategy besides upgrading? (Disabling htaccess
parsing, for example?)
-Dan
--
-
