Can I update apache (httpd) in Satellite server 6.2.12?
Hi everyone.
I had a RHEL 7.2 server with Satellite 6.2.12 installed. A vulnerability scanner showed many httpd vulnerabilities.
I was reading about the vulnerabilities and the solution appers to be updating apache (httpd) to version 2.4.33. Actually httpd version 2.4.6 is installed.
Can I update httpd to version 2.4.33 without any problem for my Satellite? or Where can I find the compatibility table of satellite-Apache?
Thanks.
Responses
Short answer: No, you cannot update to apache 2.4.33 - but that is not a problem. You do need to apply some Red Hat updates to get your system more current, though.
Long answer: This is the #1 FAQ for new users of Red Hat products (or IT security staff who do not understand how Red Hat Linux patching works, but see a scary-looking report from their vulnerability scanner).
In general (there are exceptions, like the 'firefox' package), once Red Hat releases the X.0 version of the operating system (RHEL 7.0 in this case), they do_not release new versions of the included packages, such as Apache (or OpenSSL, OpenSSH, etc.). Instead, what they do is "back port" the security patches (only) from the new "upstream" package (say, apache 2.4.7 to 2.4.33) and compile them into a patched version of the "old" package (apache-2.4.6 in this case).
My production Satellite server currently has the package "httpd-2.4.6-80.el7_5.1.x86_64", which is the most recent version released by Red Hat (several months ago, not in 2014 as the 2.4.6 main version number might lead you to believe). The "-80" in the version number means that there have been at least 80 different versions of apache that Red Hat has compiled and tested since their original apache-2.4.6 release, so this package is not as outdated as the first part of the version indicates.
I would recommend that you fully update your system to RHEL 7.5 and Satellite 6.2.15. If it is a "connected" satellite (has access to redhat.com via the internet), this should be as simple as "yum update" (then run the Satellite 6.2.x minor-update process before rebooting). If your satellite is "disconnected" (has no internet access at all, not even via a proxy server), this will require copying the current RHEL 7 Server repo & Satellite 6.2 repo - probably by whatever means your organization used to install the Satellite server in the first place (download to a DMZ server that the Satellite server can then access? Download new ISOs + patches & copy via sneakernet?)
As a side note, if your vulnerability scanner is good enough, it can be "Red Hat-aware", and produce much more useful and informative output if configured correctly. One example that I know of is the Qualys product - instead of just opening a connection on port 80 (HTTP) and checking the headers returned by the web server, it can log in via SSH (non-root account) and run 'rpm -qa' to see the exact version of every package installed. It will then report something like "you have Red Hat (apache) package httpd-2.4.6-68, which is vulnerable. Update to httpd-2.4.6-80" (they may also refer to a Red Hat "Errata" number, which includes the required package update).
I'd personally not diverge from the norm of the typical httpd that would be standard with Red Hat Satellite. If you did, I'd run it by support just for the mere reason of not causing a support issue with your satellite if some issue occurs. I believe strongly that they'd stridently recommend against it. I might be wrong, but I suspect this to be so.
Just curious what brings you to wanting to use a divergent version of httpd coinciding with a satellite?
Is there a reason you couldn't stand up a separate server, even a virtual server to fulfill your need for a higher httpd version web server? Just curious
Regards,
RJ
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
