John Talarico's picture

I've got an automatic PCI scan hitting my server and it is failing because there are vulnerabilities in Apache Web Server 2.2.18 and below, so it requires an upgrade to 2.2.19.

I've tried upgrading via...

    apt-get update
    apt-get install apache2

But apache stays at v2.2.16.  How do I force an update to 2.2.19?  Actually, same goes for OpenSSH.  I need 5.8 or higher.

Thanks!

Forum: 
Jeremy Davis's picture

Often (Windows centric) security scanners do simple version checks (rather than actually testing for the vulnerabilities). Because security patches are backported to the software version the OS initially ships with they will show an old version (because they are) they will often cause false positives. So whilst the version number may suggest that it's insecure, if you check the changelog of the package I strongly suspect you'll find the vulnerability has been patched. Scanners such as that are ok for Win machines, but near useless for Linux machines (at least for apps handled by package management).

If you really do need to update (ie there is a feature you need or a non-security bug that hasn't been patched) then you have a few different options but generally none of them are very pretty and will significantly increase your maintenance overheads (eg compiling from source) or risk stability (installing from a newer version of Ubuntu or Debian) and/or possibly compromise security (using another repo such as a PPA).

John Talarico's picture

Unfortunately this is a 3rd party PCI scanning service required by a client, and it won't "pass" unless it detects proper versions. 

On another note I attempted an upgrade (apt-get upgrade) and it froze on udev.  Not my day.

Jeremy Davis's picture

But it'll mean that you lose the advantages of auto security updates and will need to do them manually, for every update - Ironically by complying to a 'security' policy such as this, the appliance will become higher maintenance and less secure.

Upgrading causing a udev freeze is a known issue, but unfortunately is an upstream (Ubuntu) one. If you follow the link, there are a couple of workarounds and instructions on how to put a hold on the package (so it stops upgrading and doesn't cause the problem again).

John Talarico's picture

Just a quick update (no pun intended) to this.

I found ways around the issue but now it's back again.  The funny thing is that even after the latest upgrade using apt-get, apache is STILL at 2.2.16.  Is this ever going to be upgraded to a more recent version?  I saw another post that seemed to indicate that it'd be upgraded sometime last year (April?) but I never saw that happen.

Jeremy Davis's picture

So it has moved away from Ubuntu. As such the udev bug is no longer an issue. These means that TKL is now more stable (IMO) and less buggy. However Debain 6/Squeeze has mostly similar version packages to Ubuntu 10.04/Lucid (the source of Ubuntu 10.04 was a modified snapshot of Debian 6 while it was still in testing).

So short answer is that your situation remains the same... The next version of TKL will be based on Debian 7/Wheezy but seeing as that is still in beta testing it could be 6 mths or so before that has a final release. Then we'll need to wait for the TKL devs to release TKL v13.x (which will be based on that).

Bottom line is that IMO you have the follwoing options:

  • Find another repo (that you can trust and is compatible with Debian 6/Squeeze) that includes a later version of Apache.
  • Download and install Apache from source (and repeat for new versions as they are released).
  • Encourage your client to find a 3rd party 'security tester' that actually does proper vulnerability testing rather than simple version checks (assuming that a organisation such as that actually exists - one would hope that they do...).

[update] Looks like Eric beat me to it! Sounds like we had similar conclusions though! :)

Eric (tssgery)'s picture

2.2.16 is old but is the version still be published in the debian repositories. 

aptitude show apache2.2-bin shows:

 

Package: apache2.2-bin            

State: installed

Automatically installed: no

Version: 2.2.16-6+squeeze10

Priority: optional

Section: httpd

Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>

Uncompressed Size: 3473 k

Depends: libapr1 (>= 1.4.2), libaprutil1 (>= 1.3.2+dfsg), libaprutil1-dbd-sqlite3 | libaprutil1-dbd-mysql

         | libaprutil1-dbd-odbc | libaprutil1-dbd-pgsql | libaprutil1-dbd-freetds, libaprutil1-ldap,

         libc6 (>= 2.4), libcap2 (>= 2.10), libldap-2.4-2 (>= 2.4.7), libpcre3 (>= 7.7), libssl0.9.8 (>=

         0.9.8m-1), zlib1g (>= 1:1.1.4)

Conflicts: apache2.2-common (< 2.2.11-5~)

Replaces: apache2.2-common (< 2.2.14-2~)

Description: Apache HTTP Server common binary files

 The Apache Software Foundation's goal is to build a secure, efficient and extensible HTTP server as

 standards-compliant open source software. The result has long been the number one web server on the

 Internet. 


 This package contains all binaries but no configuration or support scripts. To get a stand-alone server,

 you need to install one of the apache2-mpm-* packages, such as worker or prefork. Other packages like

 gnome-user-share may bring their own Apache configuration, though.

Homepage: http://httpd.apache.org/
 

You have two options to upgrade to a newer version:

1) find a repo that contains the version you want, add the repository to your apt configuration, and update

2) download, compile, and install from source

Add new comment