Results 1 to 7 of 7

Thread: Install Apache2 Version 2.4 via Yast?

  1. #1

    Default Install Apache2 Version 2.4 via Yast?

    Hello,

    Pretty new to Linux in general, and I'm just wondering if its possible to get the latest version of apache2 (2.4) via YaST?
    The only version showing up for me is 2.2.21 and i would like to update because of the security holes in this version.

    Using Opensuse 12.1

    Cheers

  2. #2

    Default Re: Install Apache2 Version 2.4 via Yast?

    wannabeuk wrote:
    > Pretty new to Linux in general, and I'm just wondering if its possible
    > to get the latest version of apache2 (2.4) via YaST?
    > The only version showing up for me is 2.2.21 and i would like to update
    > because of the security holes in this version.


    I don't know about this specific case, but the general system in
    openSUSE and most other Linux distributions is that newer versions of
    applications are only distributed with new releases of the distro, BUT
    all security patches are applied to the older versions in supported
    releases. So the version in the standard repos, if kept up to date
    through the update repo, will be secure.

    If you think there are some unpatched security holes, report it on the
    security list or bugzilla.

    If you really want 2.4.2, it looks like there is a build at
    https://build.opensuse.org/package/s...dba-apache-242

    But you install that at your own risk!

  3. #3

    Default Re: Install Apache2 Version 2.4 via Yast?

    Thanks for the reply.

    Definitely some security holes, as 2.2.22 lists them as fixed and my security scanner (nessus) reports them due to old version. I'll report them as you suggested.

    I'm not sure how to use that link you posted to me, is it a case of adding the repository to the list in yast2?

  4. #4

    Default Re: Install Apache2 Version 2.4 via Yast?

    wannabeuk wrote:
    > Definitely some security holes, as 2.2.22 lists them as fixed and my
    > security scanner (nessus) reports them due to old version. I'll report
    > them as you suggested.


    Have you updated your copy of 2.2.22 from the update channel? The
    opensuse-security-announce mailing list posts details of which CVE
    patches are released.

    > I'm not sure how to use that link you posted to me, is it a case of
    > adding the repository to the list in yast2?


    Yes, that's right. Be aware that it hasn't had any official testing so
    you're pretty much on your own if it blows up. And it may or may not get
    security updates - it depends on the individual who made it.

  5. #5

    Default Re: Install Apache2 Version 2.4 via Yast?

    Quote Originally Posted by djh-novell View Post
    Have you updated your copy of 2.2.22 from the update channel? The
    opensuse-security-announce mailing list posts details of which CVE
    patches are released.
    My current version is 2.2.21 but that is the only version available on yast, and the update claims everything is up-to-date,
    although I'm not sure if I'm doing it right, I'm using the yast2 "on-line update" function, I've also tried using update command in the yast2 software manager for apache2 and no luck.

  6. #6

    Default Re: Install Apache2 Version 2.4 via Yast?

    hi wannabeuk and djh-novell,

    Sorry to budge in, I'm also facing the same issue.
    Security vulnerability on apache 2.2. Were you able to upgrade to apache 2.4?
    If you were, would it be ok if I ask some pointers on how you did it?

    I'm still searching on where to start, any help is deeply appreciated.

    I'm basically new to opensuse and linux in general.

    Thank you.

  7. #7

    Default Re: Install Apache2 Version 2.4 via Yast?

    Quote Originally Posted by santiagojem View Post
    hi wannabeuk and djh-novell,

    Sorry to budge in, I'm also facing the same issue.
    Security vulnerability on apache 2.2. Were you able to upgrade to apache 2.4?
    If you were, would it be ok if I ask some pointers on how you did it?

    I'm still searching on where to start, any help is deeply appreciated.

    I'm basically new to opensuse and linux in general.

    Thank you.
    Apache 2.4 is available here: software.opensuse.org: Install package Apache / apache2
    Better add that repo to your repo list because apache consists of more than 1 package.
    Be aware that there have been incompatible changes in the configuration though, see here f.e.: https://bugzilla.novell.com/show_bug.cgi?id=813705

    But: Apache 2.2 as included in openSUSE is no plain 2.2.
    Security patches have been (and will be) backported and released as online update.
    Code:
    wolfi@amiga:~> rpm -q --changelog apache2 | head -50
    * Mit Mär 27 2013 draht@suse.de
    - httpd-2.2.x-bnc807152-mod_balancer_handler_xss.diff: fix for
      cross site scripting vulnerability in mod_balancer. This is
      CVE-2012-4558 [bnc#807152]
    - httpd-2.2.x-bnc806458-util_ldap_cache_mgr-xss.diff
      httpd-2.2.x-bnc806458-mod_imagemap-xss.diff
      httpd-2.2.x-bnc806458-mod_proxy_ftp-xss.diff
      httpd-2.2.x-bnc806458-mod_info_ap_get_server_name-xss.diff
      fixes for low profile cross site scripting vulnerabilities,
      known as CVE-2012-3499 [bnc#806458]
    - httpd-2.2.x-bnc798733-SNI_ignorecase.diff: ignore case when
      checking against SNI server names. [bnc#798733]
    - httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff
      Escape filename for the case that uploads are allowed with untrusted
      user's control over filenames and mod_negotiation enabled on the
      same directory. CVE-2012-2687 [bnc#777260]
    
    
    * Fre Jän 18 2013 mhrusecky@suse.cz
    - use %set_permissions instead %run_permissions (bnc#764097)
    
    
    * Mit Jul 25 2012 saschpe@suse.de
    - gensslcert: Use 0400 permissions for generated SSL certificate files
      instead of 0644
    
    
    * Fre Jul 06 2012 meissner@suse.com
    - modified apache2.2-mpm-itk-20090414-00.patch to fix
      itk running as root. bnc#681176 / CVE-2011-1176
    
    
    * Fre Jul 06 2012 meissner@suse.com
    - remove the insecure LD_LIBRARY_PATH line. bnc#757710
    
    
    * Son Apr 22 2012 dimstar@opensuse.org
    - Add apache2-mod_ssl_npn.patch: Add npn support to mod_ssl, which
      is needed by spdy.
    - Provide apache2(mod_ssl+npn), indicating that our mod_ssl does
      have the npn patch. This can be used by mod_spdy to ensure a
      compatible apache/mod_ssl is installed.
    
    
    * Die Mär 20 2012 adrian@suse.de
    - fix truncating and resulting paniking of answer headers (bnc#690734)
    
    
    * Sam Feb 18 2012 poeml@cmdline.net
    - update to 2.2.22
      * ) SECURITY: CVE-2011-3368 (cve.mitre.org)
        Reject requests where the request-URI does not match the HTTP
        specification, preventing unexpected expansion of target URLs in
        some reverse proxy configurations.
      * ) SECURITY: CVE-2011-3607 (cve.mitre.org)
        Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
        is enabled, could allow local users to gain privileges via a .htaccess
    wolfi@amiga:~>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •