Problem configuring apache httpd with virtualmin after upgrading it to 2.4.54

Due to compliance issue we need to install Apache 2.4.54 on CentOS 7. Yum update does up to 2.4.6 currently.

CentOS Linux 7.9.2009
Virtualmin version 7.3
Webmin version 2.001

After completely uninstalling httpd 2.4.6 on Centos7. I upgraded the apache httpd server 2.4.54 from source Download - The Apache HTTP Server Project.

After installing all the required packages httpd server is running but I am having trouble configuring it with virtualmin . Like I cant configure ssl on my website. here is the screenshot.

Any solutions shall be appreciated.

You should find that the security patches in 2.4.54 are rolled into the httpd 2.4.6 package released by Red Hat. There is a CVE list available if you search using Google.

This was a mistake, you should not install random from-source software on a production server. The security risks you face will now be much higher, and you’ll pay a cost in maintenance time forever going forward. The only reasonable way to manage a server is with packages. Even having a compiler on a production system is a code smell, indicative of problems.

PCI compliance companies understand that OS vendors have patched versions of packages. The CentOS 7 package is well-understood by the PCI folks, you just need to show them you’re up to date with your OS packages.

If you insist on going this route, we’ll have a hard time helping you, because now your system is completely unpredictable. We have no idea where you put your installation of Apache (and Webmin doesn’t either, which is why you have this error). You’ll have to tell Webmin in the Webmin->Servers->Apache Web Server module configuration where you put it (it’ll be somewhere in /usr/local, probably, if you just used the defaults when configuring your build).

But, I recommend you reconsider.

Hi paul,
The RedHat CVE database dose not have mitigation for CVE-2022-31813 and CVE-2022-22720 in apache httpd 2.4.6 which have high severity. Links

Hi Joe, Thanks for your answer. As there is no solution to CVE-2022-22720 and CVE-2022-31813 in centos 7.9 (2009) (Core) using apache httpd 2.4.6.

Can we do anything to solve this?

It looks like they are both labelled as’fixed’ in the Red Hat Software Collections for Red Hat Enterprise Linux 7 - so use that instead.

1 Like

Also, if you need new software, you should be using a newer distribution. CentOS 7 is over 7 years old. Rocky, Alma, or RHEL 8 or 9 (8 is better tested with Virtualmin, but 9 should also work) would be a good choice for someone familiar with CentOS.