Hi, In the description of VE-2021-40438 it says that it affects Apache HTTP Server 2.4.48 and earlier. Does this apply only for 2.4.x versions, and could you confirm if Apache 2.2.x versions are not affected by this vulnerability. Regards, Stefan
Apache 2.2 has been End-Of-Life since January 2018. That means the project no longer offers free support for that version. We recommend upgrading to the latest 2.4.x release. Kind Regards, Stefan
Hi Stefan, Actually my request was not for fixing the Apache 2.2.x version, but I just want to understand if those versions are also vulnerable. Therefore could you please confirm if Apache 2.2.x is, or is not affected by VE-2021-40438 vulnerability. Regards, Stefan
If you run httpd 2.2 in an environment where CVEs are a concern, you have more important problems than this CVE.
Just to be clear: Any security issue that has been reported for Apache HTTP server after 2.2 was EOL was not checked by this project whether it affects any version of 2.2. There might be other distributors of Apache 2.2 (commercial products, LTS OS distributions) that still do this / did this for some time. You might find hints there. But using any vanilla 2.2 version is strongly discouraged for security reasons.