Recent Posts
91
Apache / 7 new CVE's for Apache. 2.4.68 Just Released
« Last post by Starburst on June 08, 2026, 05:16:06 PM »CISA Just release 7 new CVE's for Apache, that affect up to version 2.4.67
The Apache Foundation just release 2.4.68 that take care of the vulnerabilities.
Update guides, if needed can be found at:
HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-http-2-to-2-4-68-in-cwp-on-almalinux-8-9/
Non HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-68-in-cwp-on-almalinux-8-9/
The Apache Foundation just release 2.4.68 that take care of the vulnerabilities.
Update guides, if needed can be found at:
HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-http-2-to-2-4-68-in-cwp-on-almalinux-8-9/
Non HTTP/2 Version:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-68-in-cwp-on-almalinux-8-9/
92
Apache / Re: HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare
« Last post by overseer on June 08, 2026, 11:56:09 AM »I wouldn't run the GitHub version in production; I prefer the version from the Apache Foundation for stable, production use:
Quote
It [GitHub version] servers as early access to features and fixes before being shipped in the next Apache release. Both modules can be considered production ready and stable as shipped by the Apache project.
93
Apache / Re: HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare
« Last post by Starburst on June 08, 2026, 04:18:17 AM »Yea, it shows the Apache version.
But I was looking for a way to see the mod_http2 version.
Currently at 2.0.42
https://github.com/icing/mod_h2
But I was looking for a way to see the mod_http2 version.
Currently at 2.0.42
https://github.com/icing/mod_h2
94
Apache / Re: HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare
« Last post by overseer on June 08, 2026, 01:56:07 AM »Should be tied to the main Apache version; so in this case:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-http-2-to-2-4-67-in-cwp-on-almalinux-8-9/
It should be 2.4.67.
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-http-2-to-2-4-67-in-cwp-on-almalinux-8-9/
It should be 2.4.67.
96
Apache / Re: HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare
« Last post by Starburst on June 07, 2026, 03:46:53 PM »97
Apache / Re: HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare
« Last post by overseer on June 07, 2026, 02:29:02 PM »Between https://starburst.help and https://www.alphagnu.com, all the instructions are there to update.
98
Apache / Re: HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare
« Last post by kandalf on June 07, 2026, 07:27:16 AM »Update: Apache, Nginx, MariaDB, Roundcube, Mod Security, OWASP ruleset, CSF (Aetherinox).We need a topic qith the instructions for each service.
99
SSL / Re: SSL for an IP
« Last post by cyberspace on June 06, 2026, 10:43:57 PM »I never requested an SSL certificate for the IP address. However, Certbot and ACME.sh work the same way. They simply send a certificate request to the certificate authority (CA). The CA then verifies that you are the administrator of the IP address or domain name using an HTTP or DNS challenge and issues the certificate if the validation is successful.
Seems you just need to use the "shortlived" profile:
https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability
see "--cert-profile" of ACME.sh and use HTTP-01 acme challenge for verification.
So the command to request such SSL should be:
you can test it by adding "--test"
Seems you just need to use the "shortlived" profile:
https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability
see "--cert-profile" of ACME.sh and use HTTP-01 acme challenge for verification.
So the command to request such SSL should be:
Code: [Select]
acme.sh --issue \
--server letsencrypt \
--cert-profile shortlived \
--days 3 \
-d your.ip.address.here \
-w /document/root/
you can test it by adding "--test"
100
Apache / Re: HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare
« Last post by cyberspace on June 05, 2026, 10:16:15 PM »Guys, check if the protocol http/2 is enabled in Nginx and/or Apache before panic 
If you get nothing or commented lines then http/2 is disabled.
Seems Sandeep provided with the instructions how to update Nginx.
My version of CWP doesn't use mod_http2 for Apache by default. At least I don't see it in the folder used to store the apache modules:
/usr/local/apache/modules/
Anyway, if you need to update mod_http2 for Apache follow the instructions listed below to perform the update:
Code: [Select]
grep ' h2 ' /usr/local/apache/conf* -R
grep 'http2' /etc/nginx/conf* -RIf you get nothing or commented lines then http/2 is disabled.
Seems Sandeep provided with the instructions how to update Nginx.
My version of CWP doesn't use mod_http2 for Apache by default. At least I don't see it in the folder used to store the apache modules:
/usr/local/apache/modules/
Anyway, if you need to update mod_http2 for Apache follow the instructions listed below to perform the update:
Code: [Select]
dnf install libnghttp2-devel.x86_64
cd /usr/local/src/
wget -O mod_http2.zip https://github.com/icing/mod_h2/archive/refs/heads/master.zip
unzip mod_http2.zip
cd mod_h2-master
autoreconf -i
automake
autoconf
./configure --with-apxs=/usr/local/apache/bin/apxs
make
make sure there are no messages containing "error". If all is ok:Code: [Select]
#make backup of the original http2 libs to /root/
cp -p /usr/local/apache/modules/*http2.so /root/
cp -fp mod_http2/.libs/*.so /usr/local/apache/modules/
service httpd restart
