Is it possible to upgrade Apache to 2.2.25 in Webmin/CentOS 5.9? Anyone know how?

12 posts / 0 new
Topic locked
Last post
#1 Sat, 09/28/2013 - 15:45
vanarie

Is it possible to upgrade Apache to 2.2.25 in Webmin/CentOS 5.9? Anyone know how?

I've been tasked with upgrading Apache 2.2.25 because of PCI compliance issues. I tried but only managed to break Apache.

Does anyone know if it's even possible to upgrade to Apache 2.2.25 under this server config? Or do we need to upgrade to CentOS 6x to achieve this?

Trying to test it over the weekend, so any help would be greatly appreciated!

Thanks, Arie

Sun, 09/29/2013 - 08:07
andreychek

Howdy,

RHEL/CentOS backports security fixes into the Apache version they ship.

So although it appears that the Apache version is older -- it actually isn't, it contains all the applicable security fixes.

Even CentOS 6 doesn't have Apache 2.2.25, it only provides 2.2.15 -- but again, same idea -- RHEL/CentOS ships with one particular Apache version, and then to maintain stability, they backport bug and security fixes into that particular Apache version.

PCI companies should understand that though -- you should be able to tell them they're seeing a false positive.

-Eric

Sun, 09/29/2013 - 14:21 (Reply to #2)
vanarie

Eric, thanks for the response. I don't go through this process a lot, so I appreciate your help.

I did find this ref site for listing patches based on subversion: http://linuxsoft.cern.ch/cern/slc5X/x86_64/yum/updates/repoview/httpd.html

We've got httpd 2.2.3-76.vm installed. The patch listing goes up to httpd-2.2.3-82

as follows:

httpd-2.2.3-82.el5_9.x86_64 [1.3 MiB] Changelog by Jan Kaluza (2013-08-02):
- mod_dav: add security fix for CVE-2013-1896 (#991366)
httpd-2.2.3-81.el5_9.x86_64 [1.3 MiB] Changelog by Joe Orton (2013-06-13):
- mod_mem_cache: thread-safety fixes (Jan Kaluza, #970994)
httpd-2.2.3-78.el5_9.x86_64 [1.3 MiB] Changelog by Joe Orton (2013-04-29):
- mod_rewrite: add security fix for CVE-2013-1862 (#953729)
httpd-2.2.3-76.el5_9.x86_64 [1.3 MiB] Changelog by Joe Orton (2012-11-19):
- rebuild

When I use YUM to update httpd, it says we're up to the latest version:

[root@host ~]# yum install httpd
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* Webmin: download.webmin.com
* base: mirrors.usinternet.com
* extras: mirror.stanford.edu
* updates: mirrors.gigenet.com
Setting up Install Process
Package 1:httpd-2.2.3-76.vm.x86_64 already installed and latest version
Nothing to do

Question: in order to update to the latest version (2.2.3-82), do I need to add a new repo location and/or force an update? Webmin likes a specific way for apache to be installed, so are we stuck with .76 until they build a version supported by Webmin/Virtualmin?

Thanks!

Wed, 10/30/2013 - 17:46 (Reply to #3)
yngens

Eric, we are facing the same issue with PCI requirements. I referenced your post to them, but they don't want "understand" replying:

Thank you for the previously supplied information.

Visiting http://httpd.apache.org/security/vulnerabilities_22.html appears to show that Apache did not address CVE-2013-1862 until Apache 2.2.25. Since this finding affects PCI DSS Compliance, it does need to be confirmed that it has been addressed in some fashion.

What kind of additional information I could provide in this case?

Wed, 10/30/2013 - 22:52 (Reply to #4)
andreychek

You can review the RHEL/CentOS security errata to see when a particular vulnerability was addressed.

In the case of CVE-2013-1862, you can read about that here:

https://rhn.redhat.com/errata/RHSA-2013-0815.html

That shows the issue being corrected in Apache version httpd-2.2.15-28 in RHEL/CentOS version 6, and httpd-2.2.3-78.el5 in RHEL/CentOS version 5.

-Eric

Fri, 11/01/2013 - 01:10 (Reply to #5)
yngens

Thanks Eric, for this information, I hope this time they will accept.

Sun, 09/29/2013 - 21:13
andreychek

Hrm, it looks like the Apache version is indeed behind what should be available. I've bugged Joe to kick out a new version, as that should match what's available for CentOS. Thanks for the heads up!

-Eric

Mon, 09/30/2013 - 09:08
vanarie

For all those who need to be on the latest patched version (ie. everyone), I'd consider it a high priority! :) It's either that or force the RPM install and recompile suexec to have a new web doc dir, but that's problematic too because I can't find any Apache source file to work with! :(

Tue, 10/01/2013 - 11:07
vanarie

Is it possible to get even a rough ETA on the rollout? If it's going to be a while if I should work on compiling a new suexec and forcing the install in Webmin. I appreciate your help with this!

Thanks! -Arie

Tue, 10/01/2013 - 12:23
andreychek

Sorry for the delay... it should hopefully be soon, I'll bug Joe about it again :-)

Fri, 10/11/2013 - 10:12
vanarie

An update to httpd from 2.2.3-76.vm to 2.2.3-82.el5.centos.vm is available. An update to mod_ssl from 2.2.3-76.vm to 2.2.3-82.el5.centos.vm is available.

2.2.3-82 is supposed to be PCI compliant, so thank you and Joe for the rollout!

Tue, 10/22/2013 - 20:08 (Reply to #11)
yngens

vanarie, can you please enlighten me how exactly to install 2.2.3-82 on Virtualmin server? Won't using rpm package conflict with existing Apache/2.2.15?

Topic locked