Upgrade to Apache 2.2.32 by Yum install

Issues related to applications and software problems
Post Reply
aebo
Posts: 1
Joined: 2017/04/10 09:43:49

Upgrade to Apache 2.2.32 by Yum install

Post by aebo » 2017/04/10 09:56:32

I manage the following environment.

CentOS 6.4
Apache 2.2.27

How can I upgrade to Apache 2.2.32, which is latest version as of April 2017, by Yum?
i would like upgrade it for security reason but cannot find how to do it by "Yum"..

I would appreciate if you someone could help.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Upgrade to Apache 2.2.32 by Yum install

Post by TrevorH » 2017/04/10 10:55:45

First off: DO NOT RUN CentOS 6.4. It is old, out of date and has severe security vulnerabilities. It has received no updates since the release of 6.5 in late 2013. You need to yum update to get to 6.9 ASAP.

Second, we do not ship apache httpd 2.2.27 or 2.2.32. We ship 2.2.15 with CentOS 6. You do not need to upgrade this for "security reasons" as RH backport security fixes from newer versions to the older one. Please see the upstream "backporting" link https://access.redhat.com/security/updates/backporting

If you have gone outside the RHEL/CentOS supplied apache httpd 2.2.15 (which it sounds like you have if you are currently using 2.2.27) then you are creating work for yourself. We do not support external packages, they will not be patched by us and you will need to subscribe to the Apache security mailing lists to discover when new releases come out to fix urgent problems.

If you have PCI auditors requesting that you update to a newer version then ask them for the specific CVE numbers they are concerned about. You can then look at the rpm changelog for that CVE using e.e.g rpm -q --changelog httpd | grep CVE-yyyy-nnnn to see if that CVE is listed in the changelog as being fixed. If it is not listed then check the RH CVE website for the specific CVE - e.g. https://access.redhat.com/security/cve/CVE-2014-0224 and see if the problem is even applicable to RHEL to start with. Often CVEs that are not listed in the rpm changelog can be found there and they will say things like "not affected as this option is not enabled in RHEL builds" (or words to that effect). If they will not accept this, get better auditors!

You should probably investigate your current httpd and where it came from and look at backleveling it to the CentOS supplied 2.2.15 as it's more likely to be secure.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jlib
Posts: 1
Joined: 2017/08/15 02:04:47

Re: Upgrade to Apache 2.2.32 by Yum install

Post by jlib » 2017/08/15 02:49:55

Aebo, as an example of that backporting that TrevorH mentioned, if you update your httpd version from the base install of httpd 2.2.15.xx to 2.2.15.60 as of this date you will get the security updates to 2.2.32 you are seeking without stepping out of the normal updates channel.

The only thing to be aware of is that there may be some lag time before patches filter down. For example, httpd 2.2.34 important security fixes are not yet available. So you want to keep an eye out for 2.2.15.61 or greater in yum and fend off the buzzards in the meantime.

I use the CVE number that is sent to me by the security scanners along with Apache's httpd 2.2 vulnerabilities website and Redhat's Product Errata website to determine when things have been patched.

Post Reply