I’ve been tasked with upgrading Apache 2.2.25 because of PCI compliance issues. I tried but only managed to break Apache.
Does anyone know if it’s even possible to upgrade to Apache 2.2.25 under this server config? Or do we need to upgrade to CentOS 6x to achieve this?
Trying to test it over the weekend, so any help would be greatly appreciated!
RHEL/CentOS backports security fixes into the Apache version they ship.
So although it appears that the Apache version is older – it actually isn’t, it contains all the applicable security fixes.
Even CentOS 6 doesn’t have Apache 2.2.25, it only provides 2.2.15 – but again, same idea – RHEL/CentOS ships with one particular Apache version, and then to maintain stability, they backport bug and security fixes into that particular Apache version.
PCI companies should understand that though – you should be able to tell them they’re seeing a false positive.
Eric, thanks for the response. I don’t go through this process a lot, so I appreciate your help.
I did find this ref site for listing patches based on subversion:
We’ve got httpd 2.2.3-76.vm installed. The patch listing goes up to httpd-2.2.3-82
httpd-2.2.3-82.el5_9.x86_64 [1.3 MiB] Changelog by Jan Kaluza (2013-08-02):
- mod_dav: add security fix for CVE-2013-1896 (#991366)
httpd-2.2.3-81.el5_9.x86_64 [1.3 MiB] Changelog by Joe Orton (2013-06-13):
- mod_mem_cache: thread-safety fixes (Jan Kaluza, #970994)
httpd-2.2.3-78.el5_9.x86_64 [1.3 MiB] Changelog by Joe Orton (2013-04-29):
- mod_rewrite: add security fix for CVE-2013-1862 (#953729)
httpd-2.2.3-76.el5_9.x86_64 [1.3 MiB] Changelog by Joe Orton (2012-11-19):
When I use YUM to update httpd, it says we’re up to the latest version:
[root@host ~]# yum install httpd
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
Question: in order to update to the latest version (2.2.3-82), do I need to add a new repo location and/or force an update? Webmin likes a specific way for apache to be installed, so are we stuck with .76 until they build a version supported by Webmin/Virtualmin?
Hrm, it looks like the Apache version is indeed behind what should be available. I’ve bugged Joe to kick out a new version, as that should match what’s available for CentOS. Thanks for the heads up!
For all those who need to be on the latest patched version (ie. everyone), I’d consider it a high priority! It’s either that or force the RPM install and recompile suexec to have a new web doc dir, but that’s problematic too because I can’t find any Apache source file to work with!
Is it possible to get even a rough ETA on the rollout? If it’s going to be a while if I should work on compiling a new suexec and forcing the install in Webmin. I appreciate your help with this!
Sorry for the delay… it should hopefully be soon, I’ll bug Joe about it again
An update to httpd from 2.2.3-76.vm to 2.2.3-82.el5.centos.vm is available.
An update to mod_ssl from 2.2.3-76.vm to 2.2.3-82.el5.centos.vm is available.
2.2.3-82 is supposed to be PCI compliant, so thank you and Joe for the rollout!
vanarie, can you please enlighten me how exactly to install 2.2.3-82 on Virtualmin server? Won’t using rpm package conflict with existing Apache/2.2.15?
Eric, we are facing the same issue with PCI requirements. I referenced your post to them, but they don’t want “understand” replying:
Thank you for the previously supplied information.
Visiting http://httpd.apache.org/security/vulnerabilities_22.html appears to show that Apache did not address CVE-2013-1862 until Apache 2.2.25. Since this finding affects PCI DSS Compliance, it does need to be confirmed that it has been addressed in some fashion.
What kind of additional information I could provide in this case?
You can review the RHEL/CentOS security errata to see when a particular vulnerability was addressed.
In the case of CVE-2013-1862, you can read about that here:
That shows the issue being corrected in Apache version httpd-2.2.15-28 in RHEL/CentOS version 6, and httpd-2.2.3-78.el5 in RHEL/CentOS version 5.
Thanks Eric, for this information, I hope this time they will accept.