We’ve been required by a recent security report to upgrade to apache 2.4.31 citing “multiple vulnerabilities detected”. However, the latest httpd version available with virtualmin seems to be 2.4.6-97. Is there any way to get the newer apache versions?
| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Centos 7.9 |
| Virtualmin version | 6.17 |
Red Hat has patched their vendor provided version of Apache 2.4.6-97 with security patches from up to Apache 2.4.52. It should be noted that Red Hat backport the security patches to the 2.4.6 release. This is passed downstream to CentOS and then repackaged by Virtualmin, so security checks (especially automated ones) will need to take this into account.
You can compare here (you can search the Apache changelog with the CVEs from Red Hat as an example):
https://access.redhat.com/errata/RHSA-2022:0143
And the Apache changelog:
https://downloads.apache.org/httpd/CHANGES_2.4
Here is the version of httpd that I have on a fully patched CentOS 7.9 server managed by Virtualmin:
$ yum info httpd
Installed Packages
Name : httpd
Arch : x86_64
Epoch : 1
Version : 2.4.6
Release : 97.el7.vm.4
Size : 9.4 M
Repo : installed
From repo : virtualmin
Summary : Apache HTTP Server
URL : http://httpd.apache.org/
License : ASL 2.0
Description : The Apache HTTP Server is a powerful, efficient, and extensible
: web server
Thanks a lot Paul - we’ll try upgrading to latest in that case and will see if the vulnerabilities are still detected 
You can use rpm to query whether a specific CVE is addressed in a given package:
rpm -q --changelog <packagename> | grep CVE
Which will show all the CVEs that have been applied (this will not include CVEs that were already fixed in the version of the software being packaged…e.g. httpd version 2.4.6 won’t list CVEs fixed in 2.4.5 of Apache).
Vulnerability scanners should be aware of the Red Hat and CentOS policy with regard to security updates and how they’re handled. And, you should never install software from random repos or from source to try to address CVEs. You’re pretty much guaranteed to open yourself up to security issues if you do that, because you simply do not have the resources to maintain the security of your software that Red Hat has.
All that said, I see there’s been a new .5 release a few days ago, so I need to rebuild our package for CentOS 7. RHEL8 and derivatives don’t have this problem, as we no longer make a custom Apache build (suexec is no longer needed in the common case, so we simply use the package provided by the OS).
Thats great thanks a lot Joe - informative & helpful as always 
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.