LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-25-2010, 04:18 PM   #1
hockeyman_102
Member
 
Registered: Apr 2006
Location: Washington
Distribution: Suse, CentOS, Ubuntu
Posts: 124

Rep: Reputation: 15
centos 5.4 need to update apache/httpd


Here goes; One of our production servers is running Apache 2.2.11-7, and we have some open vulns that need it to upgrade to 2.2.15.

Steps:
--------
use yum (LOVE yum)
  1. yum update
  2. yum update httpd - "No Packages marked for Update"
  3. yum list installed httpd - "Installed Package httpd.x86_64 2.2.11-7 installed"

Does this mean I have to manually install from src if I want to get apache upgraded, since I can't seem to find a 2.2.15 version of apache on rpmfind.net?

Also, if there are vulns, why can't yum update yet?
 
Old 03-25-2010, 04:52 PM   #2
Intel_
Member
 
Registered: Mar 2009
Location: Bulgaria
Distribution: Slackware
Posts: 103
Blog Entries: 5

Rep: Reputation: 20
CentOS uses older version of the software. Maybe this version, which you need is not included yet.
 
Old 03-25-2010, 06:32 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by hockeyman_102 View Post
we have some open vulns
How did you determine this? Did you perform some sort of vulnerability scan, or are you going solely by the version numbers? If it's the latter, keep in mind that it's quite normal for distros to leave software version numbers intact when backporting security patches (the package version number is what gets bumped). Have you checked the relevant package's changelog to see if there is a record of the vulnerabilities you're referring to having been addressed?

Last edited by win32sux; 03-25-2010 at 06:36 PM.
 
Old 03-25-2010, 07:50 PM   #4
hockeyman_102
Member
 
Registered: Apr 2006
Location: Washington
Distribution: Suse, CentOS, Ubuntu
Posts: 124

Original Poster
Rep: Reputation: 15
We have a 3rd party doing a Qualys PCI scan. It's very frustrating, because it seems they are only going off version number, and i really, really do not like installing from src if I don't have to.
 
Old 03-25-2010, 08:31 PM   #5
hockeyman_102
Member
 
Registered: Apr 2006
Location: Washington
Distribution: Suse, CentOS, Ubuntu
Posts: 124

Original Poster
Rep: Reputation: 15
I think i found a solution - I updated everything possible, and then changed my httpd.conf to not reflect the Apache version.

httpd.conf
Code:
#ServerTokens OS
ServerTokens Prod
And test it by:

Quote:
telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 26 Mar 2010 00:16:09 GMT
Server: Apache
Last-Modified: Mon, 02 Feb 2009 20:21:34 GMT
ETag: "8a09-461f54d068f80"
Accept-Ranges: bytes
Content-Length: 35337
Connection: close
Content-Type: text/html; charset=UTF-8
Still waiting for the scan to come back before I mark it as SOLVED.
 
Old 03-25-2010, 10:00 PM   #6
evo2
Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,590

Rep: Reputation: 1227Reputation: 1227Reputation: 1227Reputation: 1227Reputation: 1227Reputation: 1227Reputation: 1227Reputation: 1227Reputation: 1227
Quote:
Originally Posted by hockeyman_102 View Post
We have a 3rd party doing a Qualys PCI scan. It's very frustrating, because it seems they are only going off version number, and i really, really do not like installing from src if I don't have to.
You should explain to them that what they are doing is extremely stupid.

If they force you to needlessly upgrade software you are more likely to introduce new security bugs. For production servers backporting the fixes (as is done in RHEL/CentOS, Debian etc.) is the way to go. If they (the 3rd party) don't understand this then I shudder to think what else they screw up.

Good luck!

Evo2.

Last edited by evo2; 03-25-2010 at 10:01 PM.
 
Old 03-26-2010, 07:56 PM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by win32sux
keep in mind that it's quite normal for distros to leave software version numbers intact when backporting security patches (the package version number is what gets bumped)
Bingo. Your scan is giving bogus results because it doesn't account for this.
 
Old 03-30-2010, 01:47 PM   #8
hockeyman_102
Member
 
Registered: Apr 2006
Location: Washington
Distribution: Suse, CentOS, Ubuntu
Posts: 124

Original Poster
Rep: Reputation: 15
[SOLVED] centos 5.4 need to update apache/httpd

By simply removing the Apache version in the header information, it was enough to trick Qualys into believing we're up to date, and or actually trying the vuln. Anyways - we're in the clear - thanks guys!
 
  


Reply

Tags
apache, centos, httpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
yum update on CentOS 5.3 upgraded my system to CentOS 5.4 diskoe Red Hat 1 10-29-2009 05:41 PM
Unable to start apache on CentOS Linux with error Starting httpd: Syntax error on lin pkumar2533 Linux - Newbie 9 08-26-2009 08:48 AM
Failed to start apache :Starting httpd: Syntax error on line 1027 of /etc/httpd/conf/ payjoe Linux - Newbie 3 09-21-2007 08:24 AM
update centos 4 rc1 to centos 4 trou yum? maxut cAos 2 03-04-2005 03:36 AM
httpd chokes on ScriptAlias line in Apache httpd.conf lhoff Linux - Software 1 07-14-2003 11:32 PM


All times are GMT -5. The time now is 04:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration