Risks in attempting to upgrade Apache to 2.4.62 on Ubuntu 24.04, client saying security threat

SYSTEM INFORMATION
OS type and version Ubuntu 24.04
Webmin version Latest
Virtualmin version Latest
Webserver version 2.4.62?
Related packages SUGGESTED

Hi there! I have a very difficult client. You have told me I have to upgrade our Virtualmin installation to the latest Apache 2.4.62 which only came out last month. They claim it’s because Apache may suffer from CVE-2024-39884 and CVE-2024-40725.

Both security threats claim something in these lines:

PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.

To be honest I am not a security expert but I don’t agree with their assessment that our Virtualmin installation has to run the latest Apache. I can’t push back though as it’s a corporate client so I’m doing everything I can to take things forward.

I have light experience with compiling Apache but i have huger anxiety about breaking Virtualmin.

I need some advice please @staff?

Should I tell them it’s impossible to upgrade the Apache for now?

Hello,

Thanks for contacting us!

The correct response to this kind of request would be that Apache is installed from the upstream Ubuntu 24.04 system repositories, and Canonical will distribute all updates as soon as they finish testing. If they haven’t released it yet, it means the bug isn’t considered urgent or severe in any way.

I would suggest avoiding manually building Apache on a production system.

Please let us know if you have any further questions.

1 Like

From a security perspective compiling from source is a disastrous idea.

Usually, the package from your OS vendor will be patched for any serious CVEs. You can see the patches by looking at the changelog for the package. For example, the apache2 package in 24.04: Ubuntu – Details of package apache2 in noble-updates (Click Ubuntu Changelog in the right-hand menu)

Looking at those two CVEs, they specifically say they apply to 2.4.60. Which is not the version you should have if you’re running the OS package. You should have 2.4.58, which, as far as I can tell, is not impacted by either of those CVEs.

So, I think they’re just flagging this incorrectly. You should be able to say your version is not impacted by those CVEs and refer them to the changelog for your version so they can check off any CVEs that apply to 2.4.58.

Ubuntu doesn’t always patch for CVEs or if they do it might take a week or two, but I think most serious ones are resolved pretty quickly.

I would strongly recommend against compiling Apache from source. If you must upgrade, I recommend you learn how to build deb packages and maintain an apt repo for your custom packages (aptly is the best option for this, though it’s kinda hard to use, it’s less hard to use than any of the other ways I know of to build apt repos). You can sometimes get the most recent version of stuff by rebuilding from newer Ubuntu or Debian versions or the unstable/dev version. But, again, that’s a last resort. Check in to be sure they really insist you upgrade and won’t accept your vendors patched version. Compiling your own package is still a bad idea, because now you have to babysit the Apache package forever…you need to be on security mailing lists, and drop everything to push an update every time a bug arrives. It’s exhausting. I’ve done that, I used to do it for our custom build of Apache for RHEL-based systems, and it was miserable. Hated it.

For what it’s worth, in my experience, big corps are more comfortable with RHEL (primarily because Red Hat employs a lot more developers and tend to be more responsive to security issues). If you plan to have a lot of big corporate customers, or if this one client is big enough to justify it, you might want to start deploying those customers on a RHEL system instead of Ubuntu.

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.