Should I update Apache from 2.2 to 2.4 on CentOS 6.5?
CentOSThis forum is for the discussion of CentOS Linux. Note: This forum does not have any official participation.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Outdated Web Server Apache Found Vulnerabilities on Apache 2.2 Apache/2.2.15
My initial thought was to update as suggested. However I found this on stackexchange. I have been told that updating from the souce could lead to incompatibilities that could make Apache non-functional on my system. Also, when I checked here and here, their directions included getting the source using wget which always returned a 404 error.
Since CentOS does not provide an update for Apache when I update/upgrade CentOS, I am wondering whether upgrading Apache is a good idea. OTOH, if I do not, I may get a bad reputation from sites like sucuri.
[bluecat@localhost ~]$ cd /usr/src
[bluecat@localhost src]$ wget http://apache.mirrors.tds.net//httpd/httpd-2.4.4.tar.gz
--2014-10-26 01:21:25-- http://apache.mirrors.tds.net//httpd/httpd-2.4.4.tar.gz
Resolving apache.mirrors.tds.net (apache.mirrors.tds.net)... 216.165.129.134
Connecting to apache.mirrors.tds.net (apache.mirrors.tds.net)|216.165.129.134|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-10-26 01:21:25 ERROR 404: Not Found.
[bluecat@localhost src]$ tar zxvf httpd-2.4.4.tar.gz
I'm not sure what's best for you to try.
Even if you install the tar.gz file directly the man in the turtorial say that could be
a bit tricky to come by on CentOS 6.x, without rebuilding them too.
Even if you find the RPM you'd still have to rebuild and recompile.
That could be recursive & frustrating. (least it's been my experience)
I'm not sure if it's a good idea to upgrade Apache or not. It seems complicated even after I read all of the documentation that you linked.
***I'd wait for a member with lot's of experience with Apache and see what they can advise you on.***
[bluecat@localhost ~]$ cd /usr/src
[bluecat@localhost src]$ wget http://apache.mirrors.tds.net//httpd/httpd-2.4.4.tar.gz
--2014-10-26 01:21:25-- http://apache.mirrors.tds.net//httpd/httpd-2.4.4.tar.gz
Resolving apache.mirrors.tds.net (apache.mirrors.tds.net)... 216.165.129.134
Connecting to apache.mirrors.tds.net (apache.mirrors.tds.net)|216.165.129.134|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-10-26 01:21:25 ERROR 404: Not Found.
[bluecat@localhost src]$ tar zxvf httpd-2.4.4.tar.gz
I'm not sure what's best for you to try.
Even if you install the tar.gz file directly the man in the turtorial say that could be
a bit tricky to come by on CentOS 6.x, without rebuilding them too.
Even if you find the RPM you'd still have to rebuild and recompile.
That could be recursive & frustrating. (least it's been my experience)
I'm not sure if it's a good idea to upgrade Apache or not. It seems complicated even after I read all of the documentation that you linked.
***I'd wait for a member with lot's of experience with Apache and see what they can advise you on.***
* Wed Jul 23 2014 Johnny Hughes <johnny@centos.org> - 2.2.15-31.el6.centos
- Roll in CentOS Branding
* Fri Jul 18 2014 Jan Kaluza <jkaluza@redhat.com> - 2.2.15-31
- mod_cgid: add security fix for CVE-2014-0231
- mod_deflate: add security fix for CVE-2014-0118
- mod_status: add security fix for CVE-2014-0226
* Thu Mar 20 2014 Jan Kaluza <jkaluza@redhat.com> - 2.2.15-30
- mod_dav: add security fix for CVE-2013-6438 (#1078174)
- mod_log_config: add security fix for CVE-2014-0098 (#1078174)
So it appears that I have Apache updates more recent than the links I supplied about updating to Apache 2.4. It appears that Apache 2.4.10 came out 2014-07-21, just before my last update. So it appears I am up to date. So maybe the warnings from rkhunter and sucuri be false alarms? I still get those warning after restarting Apache.
Could be security fixes are backported into 2.2 by Redhat, and consequently in Centos.
So you're kinda running a sort 2.2+ version as it were.
rkhunter probably only looks at the version number of the rpm or what the binary gives and does not take these patches into account.
If you update your apache with the official updates from centos, I think it's safe to assume you're as safe as you can be and can ignore the rkunter message.
Not sure what you can do about the sucuri problem though.
Could be security fixes are backported into 2.2 by Redhat, and consequently in Centos.
So you're kinda running a sort 2.2+ version as it were.
rkhunter probably only looks at the version number of the rpm or what the binary gives and does not take these patches into account.
If you update your apache with the official updates from centos, I think it's safe to assume you're as safe as you can be and can ignore the rkunter message.
Not sure what you can do about the sucuri problem though.
Thanks for chiming in grubby-
Is it possible to get a false positive with rkhunter-
When I ran rkhunter a long time ago it gave me a false positive over a PDF I downloaded.
I still get those warning after restarting Apache.
I don't get why your still getting those warning's-
I tried to find out why but I just kept running into a brick wall- Sorry OtagoHarbour; I gave it my best go-
Could be security fixes are backported into 2.2 by Redhat, and consequently in Centos.
If you update your apache with the official updates from centos, I think it's safe to assume you're as safe as you can be and can ignore the rkunter message.
Not sure what you can do about the sucuri problem though.
Thanks very much for your reply. I will collect as much evidence as I can and, if I decide that it is a false alarm, I will contact Sucuri with the evidence for my decision.
Thanks for chiming in grubby-
Is it possible to get a false positive with rkhunter-
When I ran rkhunter a long time ago it gave me a false positive over a PDF I downloaded.
I doubt there is any malware detection system that does not have false positives and false negatives. I think they just analyze indicators are do a trade-off. OTOH I have heard of APTs being disguised as, or contained in, legitimate PDFs. E.g. http://www.mcafee.com/us/resources/w...st-threats.pdf. So I would not say that something is a false alarm just because it is a PDF.
I don't get why your still getting those warning's-
I tried to find out why but I just kept running into a brick wall- Sorry OtagoHarbour; I gave it my best go-
Thank you for the link. One thing that confuses me is that the link suggests I should be up to version 2.2.27 by now. However
Code:
httpd -v
returns
Code:
Server version: Apache/2.2.15 (Unix)
Server built: Jul 23 2014 14:15:00
My thoughts are that CentOS is likely updating Apache 2.2.15 rather than moving to a new (sub)version. Your link says that the latest fix affects Apache 2.2.15.
Thanks again,
OH
Last edited by OtagoHarbour; 10-26-2014 at 01:47 PM.
redhat will never change MAJOR versions of software
but they will backport security updates and bugfixes
so the updates for the current OLD 2.2???? are in whatever is in the rhn repo
NOW
( my opinion so...)
one should build EVERYTHING for the apache stack from source for the first 6 to 12 installs
That way one LEARNS!!! how to set it up and configure everything
then use the rpm or deb to save 30 min. off the install
for running production servers USE the RPM for rhel
that is the BEST way to keep uptime UP
Apache2.2 is aging
you really should be "thinking" of migrating to 2.4
but you can wait until Apache 2.6 comes out
you do not have to migrate TODAY
in the next year sometime -- YES
redhat will never change MAJOR versions of software
but they will backport security updates and bugfixes
so the updates for the current OLD 2.2???? are in whatever is in the rhn repo
NOW
( my opinion so...)
one should build EVERYTHING for the apache stack from source for the first 6 to 12 installs
That way one LEARNS!!! how to set it up and configure everything
then use the rpm or deb to save 30 min. off the install
for running production servers USE the RPM for rhel
that is the BEST way to keep uptime UP
Apache2.2 is aging
you really should be "thinking" of migrating to 2.4
but you can wait until Apache 2.6 comes out
you do not have to migrate TODAY
in the next year sometime -- YES
Thank you for your reply. I do like the idea of backporting in that it is a way of fixing security flaws without adding possibly buggy new features that I don't need.
What would be the advantage of updating to 2.6? Currently, I use Apache as a web server with PHP and MySQL.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
