Apache 2.2.34 installation

Latest response

Hello,

I am wondering if RedHat support HTTPD 2.2.34 version. From this link it says it supports 2.2.15 https://access.redhat.com/solutions/445713

If it does support .34 version how does one upgrade from .15 to .34. I am not seeing anything definitive on the internet or on RedHat Web Site. Would i have to set up a repository to httpd.apache.org

Thank you,

Patrick

Responses

Safe to assume you're referring the RHEL6? I ask because, my RHEL7 system is running 2.4.6, release 67.

Latest in the repo is
httpd-2.2.15-60.el6_9.6.x86_64.rpm
This will likely contain multiple backports though. What is the reason you want 2.2.34 specifically? is there a feature you're after?

If it's for security reasons, the security patches will be backported into the above package.

Hello, The background is that I am moving content from a RedHat 5.8 Apache Server running 2.2.3. I have setup a new RedHat 6.9 server and installed the default 2.2.15. However I see that there is the 2.2.34 version available on the Apache Web Site and my Web Administrator would like me to install it so it is the latest version.

I'm not exactly sure what you mean by 'backported' or 'backport'.... I'm not sure how to upgrade it either from 2.2.15 to 2.2.34 as I am not seeing how to do it on my searches. Only way I have ever done it is via yum update.

Thank you.

When it comes to RPM names (and the value reported by the contained binaries' --version options), That 2.2.15 was the Apache HTTPD version that Red Hat originally packaged against. Over time, as new CVEs for Apache 2.2 have been addressed, those changes have been pushed into the Red Hat packaging of the 2.2.15 code via release-updates (the -<number> after the 2.2.15).

Basically, assuming that you're running the latest release of the 2.2.15 RPM, it contains all of the security fixes that have been released for Apache 2.2. That said, the Red Hat RPM may not have all/some/any of the feature updates Apache has release for the 2.2 httpd. Fortunately, Apache has typically been good about not adding features in sub-X.Y release-updates.

Hello Thomas,

So what you are saying is that Apache have bundled all security changes against 2.2.15. So how would I upgrade from 2.2.15 to 2.2.34 then?

Thank you.

Yes, all the security (and some performance) fixes are present. Feature updates are unlikely to be. For those, Red Hat typically needs to re-base the RPM. With respect to Apache's httpd, specifically, Apache doesn't generally push out feature upgrades at the X.Y.Z level - only the X and X.Y levels. If you're staying within the same X.Y level — as a change from 2.2.15 to 2.2.34 would be — you're not really "upgrading" per se.

That said, if you have some kind of hard requirement for your binary's -v output to say "2.2.34", you generally have two options:

  • Look for an appropriate RPM in one of the non-base/updates channels (think SCL, EPEL or similar)
  • Download the source from one of apache.org's mirrors and compile and install it yourself (you'd probably want to ensure that yours uses a different installation-prefix lest someone blow it up by installing an RPMed version over it)

Hi Thomas, yes I have tried epel-release and Red Hat Software Collections but cant get it working. Am going to try from source to see if I can get that to work. Have to say it is rather complicated to do what I thought would be a quick update :)

Yeah. Neither of those two have 2.2.34 because 2.2.15-latest already has everything that would be in a 2.2.34 packaging. A lot of RPM-maintainers won't update the X.Y.Z packaging to X.Y.Z' when X.Y.Z-release already contains everything that would be in an X.Y.Z' release.

I you're looking for something wholly newer than 2.2.x, the RHSCL repository does contain newer Apache releases (e.g., 2.4.x).

Hello, I found this discussion page while researching how to upgrade Apache httpd 2.2. We are still at RHEL 6 with an extended support (we plan on upgrading in the not too distant future). However, our scans ran into these CVE's: CVE-2017-3167, CVE-2017-3169, CVE-2017-7668, and CVE-2017-7679. We are running Apache httpd 2.2.15 and JBoss Version 5. The scanning software advises upgrading httpd to 2.2.34. As pointed out in this thread, there is no RPM at 2.2.34. It was mentioned that the security issues has been implemented in the latest 2.2.15. Could it be verified that these CVE's have been resolved in the latest 2.2.15 release? If yes, how do we upgrade to this RPM? Also if yes, would the scanner pass this software? Finally, if the CVE's have not been resolved or it is likely that the scans will still flag the CVE issues, what is recommended? Many thanks in advance for your help.

You can look those up in our CVE database:

You can update the package with yum update httpd. If you already have httpd-2.2.15-60.el6_9.5 or later then there's nothing to do. The package installed is already not vulnerable to these issues.

Whether the security scanner is smart enough to realise that RHEL 6's Apache version is repaired or not is another matter. You could be in the situation where the security scanner makes noise but the actual problem is fixed. You have researched the CVEs properly, so you could consider those specific items addressed. You may wish to provide feedback to the security scanner vendor if desired.