RHEL/CentOS backports security fixes into the Apache version they ship.
So although it appears that the Apache version is older – it actually isn’t, it contains all the applicable security fixes.
Even CentOS 6 doesn’t have Apache 2.2.25, it only provides 2.2.15 – but again, same idea – RHEL/CentOS ships with one particular Apache version, and then to maintain stability, they backport bug and security fixes into that particular Apache version.
PCI companies should understand that though – you should be able to tell them they’re seeing a false positive.
We’ve got httpd 2.2.3-76.vm installed. The patch listing goes up to httpd-2.2.3-82
as follows:
httpd-2.2.3-82.el5_9.x86_64 [1.3 MiB] Changelog by Jan Kaluza (2013-08-02):
mod_dav: add security fix for CVE-2013-1896 (#991366)
httpd-2.2.3-81.el5_9.x86_64 [1.3 MiB] Changelog by Joe Orton (2013-06-13):
mod_mem_cache: thread-safety fixes (Jan Kaluza, #970994)
httpd-2.2.3-78.el5_9.x86_64 [1.3 MiB] Changelog by Joe Orton (2013-04-29):
mod_rewrite: add security fix for CVE-2013-1862 (#953729)
httpd-2.2.3-76.el5_9.x86_64 [1.3 MiB] Changelog by Joe Orton (2012-11-19):
rebuild
When I use YUM to update httpd, it says we’re up to the latest version:
[root@host ~]# yum install httpd
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
updates: mirrors.gigenet.com
Setting up Install Process
Package 1:httpd-2.2.3-76.vm.x86_64 already installed and latest version
Nothing to do
Question: in order to update to the latest version (2.2.3-82), do I need to add a new repo location and/or force an update? Webmin likes a specific way for apache to be installed, so are we stuck with .76 until they build a version supported by Webmin/Virtualmin?
Hrm, it looks like the Apache version is indeed behind what should be available. I’ve bugged Joe to kick out a new version, as that should match what’s available for CentOS. Thanks for the heads up!
For all those who need to be on the latest patched version (ie. everyone), I’d consider it a high priority! It’s either that or force the RPM install and recompile suexec to have a new web doc dir, but that’s problematic too because I can’t find any Apache source file to work with!
Is it possible to get even a rough ETA on the rollout? If it’s going to be a while if I should work on compiling a new suexec and forcing the install in Webmin. I appreciate your help with this!
An update to httpd from 2.2.3-76.vm to 2.2.3-82.el5.centos.vm is available.
An update to mod_ssl from 2.2.3-76.vm to 2.2.3-82.el5.centos.vm is available.
2.2.3-82 is supposed to be PCI compliant, so thank you and Joe for the rollout!
vanarie, can you please enlighten me how exactly to install 2.2.3-82 on Virtualmin server? Won’t using rpm package conflict with existing Apache/2.2.15?
Eric, we are facing the same issue with PCI requirements. I referenced your post to them, but they don’t want “understand” replying:
Thank you for the previously supplied information.
Visiting http://httpd.apache.org/security/vulnerabilities_22.html appears to show that Apache did not address CVE-2013-1862 until Apache 2.2.25. Since this finding affects PCI DSS Compliance, it does need to be confirmed that it has been addressed in some fashion.
What kind of additional information I could provide in this case?