LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   centos 5.4 need to update apache/httpd (https://www.linuxquestions.org/questions/linux-security-4/centos-5-4-need-to-update-apache-httpd-797867/)

hockeyman_102 03-25-2010 03:18 PM
centos 5.4 need to update apache/httpd
 
Here goes; One of our production servers is running Apache 2.2.11-7, and we have some open vulns that need it to upgrade to 2.2.15.

Steps:
--------
use yum (LOVE yum)
  1. yum update
  2. yum update httpd - "No Packages marked for Update"
  3. yum list installed httpd - "Installed Package httpd.x86_64 2.2.11-7 installed"

Does this mean I have to manually install from src if I want to get apache upgraded, since I can't seem to find a 2.2.15 version of apache on rpmfind.net?

Also, if there are vulns, why can't yum update yet?

Intel_ 03-25-2010 03:52 PM
CentOS uses older version of the software. Maybe this version, which you need is not included yet.

win32sux 03-25-2010 05:32 PM
Quote:
Originally Posted by hockeyman_102 (Post 3912170)
we have some open vulns
How did you determine this? Did you perform some sort of vulnerability scan, or are you going solely by the version numbers? If it's the latter, keep in mind that it's quite normal for distros to leave software version numbers intact when backporting security patches (the package version number is what gets bumped). Have you checked the relevant package's changelog to see if there is a record of the vulnerabilities you're referring to having been addressed?

hockeyman_102 03-25-2010 06:50 PM
We have a 3rd party doing a Qualys PCI scan. It's very frustrating, because it seems they are only going off version number, and i really, really do not like installing from src if I don't have to.

hockeyman_102 03-25-2010 07:31 PM
I think i found a solution - I updated everything possible, and then changed my httpd.conf to not reflect the Apache version.

httpd.conf
Code:
#ServerTokens OS
ServerTokens Prod
And test it by:

Quote:
telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 26 Mar 2010 00:16:09 GMT
Server: Apache
Last-Modified: Mon, 02 Feb 2009 20:21:34 GMT
ETag: "8a09-461f54d068f80"
Accept-Ranges: bytes
Content-Length: 35337
Connection: close
Content-Type: text/html; charset=UTF-8
Still waiting for the scan to come back before I mark it as SOLVED.

evo2 03-25-2010 09:00 PM
Quote:
Originally Posted by hockeyman_102 (Post 3912434)
We have a 3rd party doing a Qualys PCI scan. It's very frustrating, because it seems they are only going off version number, and i really, really do not like installing from src if I don't have to.
You should explain to them that what they are doing is extremely stupid.

If they force you to needlessly upgrade software you are more likely to introduce new security bugs. For production servers backporting the fixes (as is done in RHEL/CentOS, Debian etc.) is the way to go. If they (the 3rd party) don't understand this then I shudder to think what else they screw up.

Good luck!

Evo2.

anomie 03-26-2010 06:56 PM
Quote:
Originally Posted by win32sux
keep in mind that it's quite normal for distros to leave software version numbers intact when backporting security patches (the package version number is what gets bumped)
Bingo. Your scan is giving bogus results because it doesn't account for this.

hockeyman_102 03-30-2010 12:47 PM
[SOLVED] centos 5.4 need to update apache/httpd
 
By simply removing the Apache version in the header information, it was enough to trick Qualys into believing we're up to date, and or actually trying the vuln. Anyways - we're in the clear - thanks guys!


All times are GMT -5. The time now is 06:24 PM.