Seek Assistance Upgrading to Apache Webserver 2.2.24

I am using OpenSUSE 12.3 with the included version of Apache2 (2.2.22). I am seeking to update this to 2.2.24 since some security issues have been resolved in the new version. I have installed the factory and Tumbleweed repos but still see no RPMs in YAST for 2.2.24.

I searched software.opensuse.org and found no newer apache2 rpm, but did see one httpd2 rpm listed under “unstable” in the repo home:mkubecek:private. This does not look like it is a complete replacement for the apache2 package version 2.2.22. I did a one-click install of this package on a test machine but httpd2 -v shows the old version (2.2.22) is still operational and no indication of a functioning 2.2.24.

I also tried downloading the source code from apache.org but I am unclear as to the proper destination directories to specify in ./configure. The defaults do not match the typical directory structure for Apache2 on OpenSUSE. I took a shot by looking at where various components from the included 2.2.22 version were currently installed but must not have gotten them correct, since the compilation and installation proceeded without error but did not produce a functional 2.2.24 web server. I used these:
–sysconfdir=/etc/apache2 --includedir=/usr/include/apache2 --oldincludedir=/usr/include/apache2 --libdir=/usr/lib/apache2 --sbindir=/usr/sbin --datarootdir=/usr/share/apache2 --mandir=/usr/share/apache2/manual --docdir=/usr/share/doc/packages/apache2 --localstatedir=/var
What is the best way for me to proceed in getting 2.2.24 running on OpenSuse 12.3? Is there any timetable for when an updated 2.2.24 rpm may be available via the normal update channels? Or, can someone assist me in correcting my ./configure options so that I may successfully install from the source code?

Thanks in advance…

Peter W. Avery
pwavery@gmail.com

pavery wrote:
> I am using OpenSUSE 12.3 with the included version of Apache2 (2.2.22).
> I am seeking to update this to 2.2.24 since some security issues have
> been resolved in the new version.

Security updates are produced for applications. There should be no need
to change the version of the server for security reasons. Just apply the
updates.

If you think there is a specific security issue that has not been
addressed, I suggest asking on the security list.

Thanks for your quick response - I appreciate it. The security issues in httpd2-2.2.22 were pointed out to me during recent vulnerability scans of our servers, and have been identified in the CVE listings of the National Vulnerabilities Database: CVE - CVE-2012-3499

Apache has recognized these issues and has fixed them in the new version 2.2.24 - apparently no fixes to 2.2.22 are available: httpd 2.2 vulnerabilities - The Apache HTTP Server Project

These considerations are the basis of my desire to update my version to 2.2.24 as quickly as possible. If it would be helpful for me to post this info to the OpenSUSE Security List I will do so. [Pardon my ignorance - I am not totally experienced in the use of the various OpenSUSE Forums and Resources yet.] But to return to my initial question - what is the best way to proceed with the update?

Thanks…

Peter

On 05/09/2013 03:46 PM, pavery wrote:
> what is the best way to proceed with the update?

the fastest way would be to download and build from the 2.2.24 source…

i would have no idea how trivial that may or may not be…certainly i
would build and install it on a sandbox and carefully consider the
means to move it into production, and recover if it fails…

and, i seems to me that since this was reported as a problem way last
July, and the openSUSE devs have not produced a patch–i have to
guess it is not such a big problem, but i admit i’m not qualified to
make that determination for your servers…

you might check with the folks in the security mail list…they may
want to build it for you if you will test it for them…or . . .

https://en.opensuse.org/openSUSE:Communication_channels#Mailing_lists


dd
http://tinyurl.com/DD-Caveat

Just install all online updates.
This was fixed in openSUSE’s apache2 package over a month ago.
Changelog of the package from openSUSE-Updates:

  • Mit Mär 27 2013 draht@suse.de- httpd-2.2.x-bnc807152-mod_balancer_handler_xss.diff: fix for
    cross site scripting vulnerability in mod_balancer. This is
    CVE-2012-4558 [bnc#807152]
  • httpd-2.2.x-bnc806458-util_ldap_cache_mgr-xss.diff
    httpd-2.2.x-bnc806458-mod_imagemap-xss.diff
    httpd-2.2.x-bnc806458-mod_proxy_ftp-xss.diff
    httpd-2.2.x-bnc806458-mod_info_ap_get_server_name-xss.diff
    ** fixes for low profile cross site scripting vulnerabilities,**
    ** known as CVE-2012-3499 [bnc#806458]**
  • httpd-2.2.x-bnc798733-SNI_ignorecase.diff: ignore case when
    checking against SNI server names. [bnc#798733]
  • httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff
    Escape filename for the case that uploads are allowed with untrusted
    user’s control over filenames and mod_negotiation enabled on the
    same directory. CVE-2012-2687 [bnc#777260]

You can also query the package change log directly and grep for the CVE number(s):

# rpm -q --changelog apache2 | grep CVE-2012-3499
  known as CVE-2012-3499 [bnc#806458]

pavery wrote:
> Thanks for your quick response - I appreciate it. The security issues
> in httpd2-2.2.22 were pointed out to me during recent vulnerability
> scans of our servers, and have been identified in the CVE listings of
> the National Vulnerabilities Database: ‘CVE - CVE-2012-3499’
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499)
>
> Apache has recognized these issues and has fixed them in the new
> version 2.2.24 - apparently no fixes to 2.2.22 are available: ‘httpd
> 2.2 vulnerabilities - The Apache HTTP Server Project’
> (http://httpd.apache.org/security/vulnerabilities_22.html)
>
> These considerations are the basis of my desire to update my version to
> 2.2.24 as quickly as possible. If it would be helpful for me to post
> this info to the OpenSUSE Security List I will do so. [Pardon my
> ignorance - I am not totally experienced in the use of the various
> OpenSUSE Forums and Resources yet.] But to return to my initial
> question - what is the best way to proceed with the update?

The best way is to NOT proceed with an upgrade! (BTW - ‘update’ means to
apply fixes to the current version, ‘upgrade’ means to switch to a more
recent version)

As wolfi323 has explained, the problem is already fixed in openSUSE
2.2.22. Just make sure you have applied the updates. That way, you have
a supported version of the product and other problems will get fixed
too, and the majority of people use that version and can help you. If
you upgrade to a version from a non-standard repository, or if you
compile your own, you are pretty much on your own. The security risks of
that are much greater, IMHO.

If you are concerned about security issues, you may want to subscribe to
the security-announce list via the URL dd gave you, to keep abreast of
the patches that are released.

But in general, I suggest learning a bit more about the way the openSUSE
distro works before dashing off in your own direction. Too many times,
people add a strange repo or import a tarball and then have to spend a
lot of time undoing the damage to get back to a standard system
configured properly.

pavery wrote:
> Thanks for your quick response - I appreciate it. The security issues
> in httpd2-2.2.22 were pointed out to me during recent vulnerability
> scans of our servers, and have been identified in the CVE listings of
> the National Vulnerabilities Database: ‘CVE - CVE-2012-3499’
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499)

BTW, were the vulnerabilities exposed as actual live problems, or simply
by somebody reading version numbers?

If the former, it implies you haven’t been applying security patches
regularly, which is definitely the most important thing to do.

If the latter, ‘somebody’ needs to improve their techniques!

All:

Thank you for a very educational set of responses. I had become confused about the version numbers and had forgotten that updates are often backported (is that the correct term?). Checking the changelogs will become a part of my routine whenever I am in doubt. I have also subscribed to the security list so that I will be more aware of when fixes are being released.

I will also be checking with my security vendor to better determine how it concludes that a vulnerability really exists - version numbering may be the issue there as well.

Thanks again - I am happy to be a part of such a knowledgeable and helpful community.

Peter

I am also experiencing the similar type of security issue with Version 2.2.22 and in order to nullify this vulnerability, I need to update to v2.2.24. With my server the vulnerability is with SSL/TLS Compression. I have done all of the online updates, but when I do the test through Qualys, the problem still exists and SSLCompression is enabled and is an open vulnerability. See CVE-2012-4930

I have tried installing the unstable 2.2.24 version shown for OpenSuSE 12.2, but have had not luck meeting the dependencies (unstable version is looking for lower version of the libraries than what is installed).

At this time Apache v2.4.3 has been configured to disable SSLCompression by default and the capability to disable SSLCompression has been backported to Apache v2.2.24 only, not to v2.2.22 and apparently no intention to do so at this time.

Any suggestions would be appreciated.

leevester wrote:
> Any suggestions would be appreciated.

My suggestions are:

(1) When posting about different problems, start a new thread, don’t
hijack an existing one

(2) Read this thread first, and then take action or post questions in
the appropriate place instead of here!

I thought I was asking for assistance in upgrading to version 2.2.24 as Pavery originally requested

I only meant to add another reason for the need to upgrade.

On 05/10/2013 03:36 PM, leevester wrote:
>
> I thought I was asking for assistance in upgrading to version 2.2.24 as
> Pavery originally requested

i think if you read the entire thread you will learn that Pavery had
no reason to want to “upgrade”…because, if he had already run in
the routine security updates (via YaST Online Update or ‘zypper
patch’) his system would have been secure before the sweep…

>
> I only meant to add another reason for the need to upgrade.

why? is your system fully patched?


dd

I check at least once a week on updates and the system was just updated again today with no luck in getting SSLCompression disabled.

I will open another thread just on that subject.

Thanks for the help.