Yesterday’s httpd update on Alma9 broke more than half of our sites due to the introduction of the security patch for mod_rewrite’s new UnsafeAllow3F flag.
We’re using RewriteMaps including destination URLs with parameters, all of those produced 403 forbidden responses after the update.
The fix was simple (add the flag to map rewrites), but the real issue was, the previous patch level httpd would not start with the flag added, as the flag wasn’t supported.
I.e.
httpd-2.4.57-11.el9_4.x86_64 → flag not supported
httpd-2.4.57-11.el9_4.1.x86_64 → flag necessary
So deploying a configuration update to our servers now had to add an additional condition for the actual server patch state, as not all servers can be updated simultaneously to the same patch level.
I suggest making the currently installed package version including the patch level a standard apache environment variable to enable configuration templates to react automatically & gracefully to critical new features like this.
If there’s already a defined way to query the patch level within an apache configuration, I’d be grateful for a pointer.
Regards,
Michael