Upgrade to Apache version 2.4.10 or later

13 posts / 0 new
Last post
#1 Fri, 05/12/2017 - 06:49
ayhan

Upgrade to Apache version 2.4.10 or later

hello,

How can i upgrade to Apache version 2.4.10 or later.

Fri, 05/12/2017 - 07:20
unborn
unborn's picture

hi ayhan,

it should be simple - if you on debian or ubuntu based distros just do this:

su

apt update && apt upgrade -y and you shoul be sweet done.

Configuring/troubleshooting Debian servers is always great fun

Fri, 05/12/2017 - 09:58
ayhan

i m sorry, i m on CentOS Linux release 7.3.1611 (Core).

Webmin version 1.831

Virtualmin version 5.07

yum update

No packages marked for update

httpd -v

Server version: Apache/2.4.6 (CentOS)

Server built: Jul 19 2016 13:15:57

Fri, 05/12/2017 - 18:35 (Reply to #3)
Joe
Joe's picture

We generally recommend you stick with your OS-provided version of Apache unless you have a very good reason for changing. why do you want 2.4.10 or higher?

In the case of Apache on CentOS, the problem with upgrading is harder than for most other packages. You can upgrade a lot of stuff on CentOS using the SCL repositories, and Virtualmin usually works with only small configuration changes with those packages. For Apache, however, we provide a custom build to allow suexec to operate within /home. This means that if you're changing the Apache package, you'll need to rebuild it to match how we rebuild it.

So...here's how you upgrade:

  1. Grab a newer httpd src.rpm from a fedora mirror.
  2. Modify the spec file to set the suexec_docroot to /home. Also bump the epoch so that new Apache packages from CentOS or Virtualmin repos won't overwrite yours (Virtualmin httpd packages have Epoch: 1). You'll have to modify the Requires lines that reference the httpd packages to also include the Epoch (add 1: to the beginning of the version).
  3. Build it.
  4. Install it.
  5. Keep an eye on updates, since it won't be provided by yum anymore. You'll need to go through these steps every time there is an update available.

Our repos have src.rpm packages in them, so you can look at one of those (e.g. http://software.virtualmin.com/gpl/centos/7/SRPMS/httpd-2.4.6-40.el7.cen... ) to see the changes we make. It's tedious, but not hard, if you're comfortable build RPM packages.

Or, just leave it alone. I can't imagine there's a new feature in 2.4.10 that makes Apache vastly superior to the 2.4.6 provided by RHEL/CentOS.

--

Check out the forum guidelines!

Tue, 01/08/2019 - 10:33 (Reply to #4)
raulidavid

Joe help me please I want to upgrade apache 2.4.6 because vulnerabilites Note that the 'httpoxy' vulnerability can be mitigated by applying the workarounds or patches as referenced in the vendor advisory asf-httpoxy-response.txt. Furthermore, to mitigate the other vulnerabilities, ensure that the affected modules (mod_session_crypto, mod_auth_digest, and mod_http2) are not in use.

But do not do it raulidavid@hotmail.com

Sat, 05/13/2017 - 11:53
ayhan

ok i see. you r right.

but i got this message from security dept. please check ;

Apache 2.4.x ,WebServer,High,

According to its banner the version of Apache 2.4.x running on the remote host is prior to 2.4.10. It is therefore affected by the following vulnerabilities :

  • A flaw exists in the 'mod_proxy' module that may allow an attacker to send a specially crafted request to a server configured as a reverse proxy that may cause the child process to crash. This could potentially lead to a denial of service attack. (CVE-2014-0117)

    • A flaw exists in the 'mod_deflate' module when request body decompression is configured. This could allow a remote attacker to cause the server to consume significant resources. (CVE-2014-0118)
  • A flaw exists in the 'mod_status' module when a publicly accessible server status page is in place. This could allow an attacker to send a specially crafted request designed to cause a heap buffer overflow. (CVE-2014-0226)

  • A flaw exists in the 'mod_cgid' module in which CGI scripts that did not consume standard input may be manipulated in order to cause child processes to hang. A remote attacker may be able to abuse this in order to cause a denial of service. (CVE-2014-0231)

  • A flaw exists in WinNT MPM versions 2.4.1 to 2.4.9 when using the default AcceptFilter. An attacker may be able to specially craft requests that create a memory leak in the application and may eventually lead to a denial of service attack. (CVE-2014-3523) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number., Upgrade to Apache version 2.4.10 or later. Alternatively ensure that the affected modules are not in use.

Sat, 05/13/2017 - 13:01
Diabolico
Diabolico's picture

You should know that Centos backports all patches and security fixes to current software version. So doesnt matter what Apache version you are running if that version is default for Centos as you will always be protected.

The only downside is you will not "enjoy" the features from newer version, like PHP 5.4 what is default version for Centos 7 compared to PHP 7.x.

This is just another example why people who dont have appropriate knowledge should never manage the server. I mean, Centos backporting security fixes is really old story and its common knowledge even if you are not SysAdmin.

@ayhan: Next time when you encounter similar situation with default Centos software, first check on Centos forums or websites as you will get more accurate information than just google up some random website or even Apache website. Centos was always specific OS and many times you will get wrong information by looking at non-Centos relates websites. For the same reason Centos and RedHat are so common and mostly used OS in hosting. Not jumping on every new software release makes them much more stable and secure than any other OS (e.g. like Ubuntu).

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 05/14/2017 - 06:12
ayhan

thank you.

Mon, 03/18/2019 - 10:23
verne

I see the latest httpd RPM files are from last July .... what is the proper channel to request a newer port/build ?

Verne

Tue, 05/28/2019 - 05:46
amityweb

To clarify this... "We generally recommend you stick with your OS-provided version of Apache unless you have a very good reason for changing. why do you want 2.4.10 or higher?" and "I can't imagine there's a new feature in 2.4.10 that makes Apache vastly superior to the 2.4.6 provided by RHEL/CentOS."

http/2 is a very good reason to update. Google is marking sites down because of this. Its really vital to be able to update Apache in order to improve website performance.

Tue, 05/28/2019 - 10:37
andreychek

For stability reasons, and long-term maintenance reasons, we highly recommend using the packages provided by your distro.

If you need newer packages than CentOS provides, that's no problem. Rather than installing packages from third party repos, that are far less tested than what ships with the distro -- our recommendation instead would just be to use the distro that ships with the packages you need.

You can use HTTP2 on newer Ubuntu or Debian releases, using completely standard packages provided by the vendor.

-Eric

Tue, 05/28/2019 - 12:31
verne

got what I needed in https://www.virtualmin.com/node/57047 (sync'ed with current CentOS v7 release)

Wed, 05/29/2019 - 03:22
amityweb

Well no you can’t “just use” a different distro on a server with say 100 websites on. Quite a major job to move them all. Probably more work than getting the latest apache to work on it.

Topic locked