Migrate Centos7 to a new server

Ok, official word now seems to be: Use version 8. So does Cloudmin now support CentOS/RHEL8? Last time I tried, I could not get it to work.

rpm -q --changelog <package-name>

You can look for the CVEs that have been applied.

e.g.:

rpm -q --changelog httpd|grep CVE
- Resolves: #1677590 - CVE-2018-17199 httpd:2.4/httpd: mod_session_cookie does
- Resolves: #1869075 - CVE-2020-11984 httpd:2.4/httpd: mod_proxy_uswgi buffer
- Resolves: #1823263 (CVE-2020-1934) - CVE-2020-1934 httpd: mod_proxy_ftp use of
- Resolves: #1823259 - CVE-2020-1927 httpd:2.4/httpd: mod_rewrite configurations
- Resolves: #1747284 - CVE-2019-10098 httpd:2.4/httpd: mod_rewrite potential
- Resolves: #1747281 - CVE-2019-10092 httpd:2.4/httpd: limited cross-site 
- Resolves: #1747291 - CVE-2019-10097 httpd:2.4/httpd: null-pointer dereference
- Resolves: #1744999 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount
- Resolves: #1745086 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length
- Resolves: #1745154 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request for
- Resolves: #1696142 - CVE-2019-0217 httpd:2.4/httpd: mod_auth_digest: access
- Resolves: #1696097 - CVE-2019-0220 httpd:2.4/httpd: URL normalization
- Resolves: #1695432 - CVE-2019-0211 httpd: privilege escalation
- Resolves: #1696091 - CVE-2019-0215 httpd:2.4/httpd: mod_ssl: access control 
- add security fix for CVE-2019-0190 (#1671282)
- Address CVE-2017-9798 by applying patch from upstream (#1490344)
- Address CVE-2017-9798 by applying patch from upstream (#1490344)
- Resolves: #1401530 - CVE-2016-8740 httpd: Incomplete handling of
- add security fix for CVE-2016-5387
- core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704)
- mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581)
- mod_proxy_fcgi: fix a potential crash with long headers (CVE-2014-3583)
  in multiple Require directives with different arguments (CVE-2014-8109)

Ah OK thanks.

@uinfor is that info about important updates ( so CVE) helping you to as kind of answer ?

@Joe

Frankly, I think that either I still don’t understand you or I’m not explaining myself well…

I just installed a new server from scratch (to test) with the latest version almalinux8, I update, install virtualmin, etc… etc… and I find that several important services are outdated, very outdated, we are not talking about new versions, but of major security flaws, and of course I’m surprised and I ask you if that is normal …

Something as important in a hosting as Apache, has installed version 2.4.37, and they are on version 2.4.51, each revision is done for a security reason, and there are 14 versions that have NOT been updated, you can see the security holes CVE updated here → https://dlcdn.apache.org//httpd/CHANGES_2.4

And it’s the same with MariaDB, postfix, etc… etc…

@uinfor please do some reading about distro packages, with the command line Joe gives you/me you can find infos, updated things

I have also problem to understand but.

Here some info centos 8
https://wiki.centos.org/action/show/Manuals/ReleaseNotes/CentOS8.2105

i don’t know alma has such same info

some
https://repo.almalinux.org/almalinux/

For apache version in distro read redhat here:

Where stated:

• Is Red Hat Apache version 2.4.37 current ? Cannot find a package with higher version.

Resolution

Apache HTTP Server versions included in currently-supported products

• Red Hat Enterprise Linux (RHEL)1 - httpd rpms
  • RHEL 5: based on upstream v2.2.3
  • RHEL 6: based on upstream v2.2.15
  • RHEL 7: based on upstream v2.4.6
  • RHEL 8: based on upstream v2.4.37

There also notes:

Additional notes

• Note that the versions of Apache HTTP Server included in the above products are in most cases vastly different from the upstream community releases of the same version
  *This is explained by Red Hat’s Security Backporting Policy and is the most common cause of admins/auditors trying to get a newer version of Apache
  • For example: EWS 2.1.0 & EAP 6.4.0 include Apache httpd based on upstream v2.2.26; however, they also include multiple CVE security fixes which are not in the original community release of Apache httpd 2.2.266

That link

CVE info

I think I’m finally starting to understand it…

So even if the latest version of Apache is 2.4.51 and I have 2.4.37 installed, my version already has the CVE security patches included in the latest version of Apache, that’s what I thought I understood…
and to check it I do

[root@hosting2 ~]# rpm -q --changelog httpd|grep CVE

• Resolves: #2007234 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
• Resolves: #2007646 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in
• Resolves: #1677590 - CVE-2018-17199 httpd:2.4/httpd: mod_session_cookie does
• Resolves: #1869075 - CVE-2020-11984 httpd:2.4/httpd: mod_proxy_uswgi buffer
• Resolves: #1823263 (CVE-2020-1934) - CVE-2020-1934 httpd: mod_proxy_ftp use of
• Resolves: #1823259 - CVE-2020-1927 httpd:2.4/httpd: mod_rewrite configurations
• Resolves: #1747284 - CVE-2019-10098 httpd:2.4/httpd: mod_rewrite potential
• Resolves: #1747281 - CVE-2019-10092 httpd:2.4/httpd: limited cross-site
• Resolves: #1747291 - CVE-2019-10097 httpd:2.4/httpd: null-pointer dereference

And I see for example that the CVE-2021-40438 which is the last one included in my installed package, belongs to an update of Apache version 2.4.49

Changes with Apache 2.4.49

*) SECURITY: CVE-2021-40438 (cve.mitre.org)
mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]

*) SECURITY: CVE-2021-39275 (cve.mitre.org)
core: ap_escape_quotes buffer overflow

*) SECURITY: CVE-2021-36160 (cve.mitre.org)
mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]

*) SECURITY: CVE-2021-34798 (cve.mitre.org)
core: null pointer dereference on malformed request

*) SECURITY: CVE-2021-33193 (cve.mitre.org)
mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]

*) core/mod_proxy/mod_ssl:
Adding outgoing flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional functionssl_engine_set. This enables other SSL module to secure proxy connections. The optional functions ssl_engine_set, ssl_engine_disableand ssl_proxy_enableare now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done forssl_is_ssl`.
[Stefan Eissing]

Is this correct?

So I’m more calm, we are not talking about months and years without updates, anyway I see that only a few CVE are included, it will be for security reasons ???

YUP i don’t know that to but:
SOME CVE are related to only specific version of apache so if that version and changes where not part of the CENTOS distro, then no need for those cve ofcourse.

Also i think personally they don’t do all CVE only the ones they find important, for example maybe “low” or even some don’t have risks in combination as the CENTOS Apache distro is configured and used.
For that you have to “deep dive” in CVE information itself.

As for PHP problem that i write above is surely hope they do a backporting for example!

He is giving you facts, not opinions.

Ignore them at your own peril.

Don’t Torture Yourself, Gomez; That’s My Job

ONly giving one example of backported fix PHP 5.6.x remi here

If using other then OS repo distri or they don’t backport old ( to old versions)
Think about it, but don’t do changes yourself before good working total BACKUPS!

Ask the OS distro or whatever you use if they do…

Example:
https://github.com/remicollet/php-src-security/commit/0f2a7ebf53b3787651157f1509c0cd6fc1292a1a.patch

GitHub - remicollet/php-src-security: Security backports for EOL versions of PHP.

Look at branches there as ( AND DO READ) GitHub - remicollet/php-src-security at PHP-5.6-security-backports-openssl11 > This is a fork of the official PHP repository which receives backport of security fixes from maintained branches.

This branch is PHP version 5.6.40 with security fix and compatibility fix for OpenSSL 1.1.

So if you need old version, but also security that is not in your REPO distribution you are on risk while if changing to such one, then SUPPORT could be problematic!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.