Install Apache2 Version 2.4 via Yast?

Hello,

Pretty new to Linux in general, and I’m just wondering if its possible to get the latest version of apache2 (2.4) via YaST?
The only version showing up for me is 2.2.21 and i would like to update because of the security holes in this version.

Using Opensuse 12.1

Cheers

wannabeuk wrote:
> Pretty new to Linux in general, and I’m just wondering if its possible
> to get the latest version of apache2 (2.4) via YaST?
> The only version showing up for me is 2.2.21 and i would like to update
> because of the security holes in this version.

I don’t know about this specific case, but the general system in
openSUSE and most other Linux distributions is that newer versions of
applications are only distributed with new releases of the distro, BUT
all security patches are applied to the older versions in supported
releases. So the version in the standard repos, if kept up to date
through the update repo, will be secure.

If you think there are some unpatched security holes, report it on the
security list or bugzilla.

If you really want 2.4.2, it looks like there is a build at
https://build.opensuse.org/package/show?project=home:csbuild:DBA&package=dba-apache-242

But you install that at your own risk!

Thanks for the reply.

Definitely some security holes, as 2.2.22 lists them as fixed and my security scanner (nessus) reports them due to old version. I’ll report them as you suggested.

I’m not sure how to use that link you posted to me, is it a case of adding the repository to the list in yast2?

wannabeuk wrote:
> Definitely some security holes, as 2.2.22 lists them as fixed and my
> security scanner (nessus) reports them due to old version. I’ll report
> them as you suggested.

Have you updated your copy of 2.2.22 from the update channel? The
opensuse-security-announce mailing list posts details of which CVE
patches are released.

> I’m not sure how to use that link you posted to me, is it a case of
> adding the repository to the list in yast2?

Yes, that’s right. Be aware that it hasn’t had any official testing so
you’re pretty much on your own if it blows up. And it may or may not get
security updates - it depends on the individual who made it.

My current version is 2.2.21 but that is the only version available on yast, and the update claims everything is up-to-date,
although I’m not sure if I’m doing it right, I’m using the yast2 “on-line update” function, I’ve also tried using update command in the yast2 software manager for apache2 and no luck.

hi wannabeuk and djh-novell,

Sorry to budge in, I’m also facing the same issue.
Security vulnerability on apache 2.2. Were you able to upgrade to apache 2.4?
If you were, would it be ok if I ask some pointers on how you did it?

I’m still searching on where to start, any help is deeply appreciated.

I’m basically new to opensuse and linux in general.

Thank you.

Apache 2.4 is available here: software.opensuse.org: Install package Apache / apache2
Better add that repo to your repo list because apache consists of more than 1 package.
Be aware that there have been incompatible changes in the configuration though, see here f.e.: Access Denied

But: Apache 2.2 as included in openSUSE is no plain 2.2.
Security patches have been (and will be) backported and released as online update.

wolfi@amiga:~> rpm -q --changelog apache2 | head -50
* Mit Mär 27 2013 draht@suse.de
- httpd-2.2.x-bnc807152-mod_balancer_handler_xss.diff: fix for
  cross site scripting vulnerability in mod_balancer. This is
  CVE-2012-4558 [bnc#807152]
- httpd-2.2.x-bnc806458-util_ldap_cache_mgr-xss.diff
  httpd-2.2.x-bnc806458-mod_imagemap-xss.diff
  httpd-2.2.x-bnc806458-mod_proxy_ftp-xss.diff
  httpd-2.2.x-bnc806458-mod_info_ap_get_server_name-xss.diff
  fixes for low profile cross site scripting vulnerabilities,
  known as CVE-2012-3499 [bnc#806458]
- httpd-2.2.x-bnc798733-SNI_ignorecase.diff: ignore case when
  checking against SNI server names. [bnc#798733]
- httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff
  Escape filename for the case that uploads are allowed with untrusted
  user's control over filenames and mod_negotiation enabled on the
  same directory. CVE-2012-2687 [bnc#777260]


* Fre Jän 18 2013 mhrusecky@suse.cz
- use %set_permissions instead %run_permissions (bnc#764097)


* Mit Jul 25 2012 saschpe@suse.de
- gensslcert: Use 0400 permissions for generated SSL certificate files
  instead of 0644


* Fre Jul 06 2012 meissner@suse.com
- modified apache2.2-mpm-itk-20090414-00.patch to fix
  itk running as root. bnc#681176 / CVE-2011-1176


* Fre Jul 06 2012 meissner@suse.com
- remove the insecure LD_LIBRARY_PATH line. bnc#757710


* Son Apr 22 2012 dimstar@opensuse.org
- Add apache2-mod_ssl_npn.patch: Add npn support to mod_ssl, which
  is needed by spdy.
- Provide apache2(mod_ssl+npn), indicating that our mod_ssl does
  have the npn patch. This can be used by mod_spdy to ensure a
  compatible apache/mod_ssl is installed.


* Die Mär 20 2012 adrian@suse.de
- fix truncating and resulting paniking of answer headers (bnc#690734)


* Sam Feb 18 2012 poeml@cmdline.net
- update to 2.2.22
  * ) SECURITY: CVE-2011-3368 (cve.mitre.org)
    Reject requests where the request-URI does not match the HTTP
    specification, preventing unexpected expansion of target URLs in
    some reverse proxy configurations.
  * ) SECURITY: CVE-2011-3607 (cve.mitre.org)
    Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
    is enabled, could allow local users to gain privileges via a .htaccess
wolfi@amiga:~>