what is the path/plan to upgrade apache to Update 2.4.51 released 10/7/21 so that we can adhere to the CVE’s for hosting
Currently on Server version: Apache/2.4.37 (centos)
You should not do that.
You should run the current packaged version of Apache for your distro. CentOS backports all relevant CVEs to their httpd package (or, probably more accurately, Red Hat patches it, and CentOS packages those patches). On CentOS 8, you’re running the CentOS version of httpd and if this bug affects the version they’re shipping, they will release a patch. On CentOS 7, we repackage it (for suexec support), and will have to roll a new release, when CentOS does. Red Hat reports these CVEs are “under investigation”. They will roll a release, if the packages in RHEL7 and RHEL8 are affected, and CentOS will follow soon after. It does not appear to me, based on a brief reading, that either of the CVEs addressed by 2.4.51 affect the packages provided by CentOS/RHEL 7 or 8. They seem to affect 2.4.49 and 2.4.50 which are not the versions found in CentOS 7 or 8. (From the CVE: “This issue only affects Apache 2.4.49 and not earlier versions.”)
CentOS ships the same version of every package throughout the life of the distribution, with security patches backported into it. This is a feature, not a bug. If you don’t like this feature, CentOS is the wrong OS for you (but you should love this feature).
You should never strike out on your own for an important package like Apache.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.