Fix the CVE-2024-38475 vulnerability for apache2

[priteshvaviya11]

Hi, I can see that CVE-2024-38475 vulnerability is present in the LATEST overv/openstreetmap-tile-server:latest docker image.
It has apache2 with installed version - 2.4.52-1ubuntu4.5
The fix version of this is available in - 2.4.52-1ubuntu4.10 (as per trivy scans)

OR

It can also be fixed by upgrading apache2 to the Latest version i.e. 2.4.65 July 2025.

Please could you look for implementing this upgrade and provide any feedback on the ETA & release version.

[Istador]

Afaik mod_rewrite isn't enabled by default and even if it were, this project isn't introducing any rewrite rules that could be affected by this vulnerability.

[iplayguitartoo-coder]

You could always create your own image with overv/openstreetmap-time-server as the base and upgrade Apache. Don't upgrade Postgres as that will break stuff. Here's a sample Docker file you could use.

Contents of Dockerfile

FROM overv/openstreetmap-tile-server
#Hold the application stack - these are risky to upgrade
RUN apt-mark hold postgresql postgresql-client postgis
#Upgrade OS-level packages with known CVEs
RUN apt-get update &&
apt-get install --only-upgrade
apache2
curl
libcurl4
libcurl3-gnutls
libnghttp2-14
dirmngr
git
git-man
gnupg
gnupg2
gpg
gpg-agent
libc-bin
libc6
libc6-dev
libc-dev-bin
locales
libtiff5
sudo
unrar
linux-libc-dev -y &&
apt-get clean &&
rm -rf /var/lib/apt/lists/*