HTTPD 2.4.3 RPM for RHEL 5.7

Latest response

 

I have a server running RHEL 5.7

 

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)

 

# uname -r
2.6.18-274.17.1.el5

#
 

The current version of HTTPD (Apache) is 2.2.3 :

 

# rpm -qa | grep httpd
httpd-manual-2.2.3-65.el5_8
httpd-2.2.3-65.el5_8

#

 

Our security people are running scans for PCI compliance and are saying we need at least HTTPD 2.2.12.   Our security people are also saying HTTPD 2.4 is out and we should just upgrade to that version.   The problem is that HTTPD 2.2.3 is the latest release for RHEL 5.7 that can be installed using "yum update httpd" and our Red Hat subscription.

 

# grep "^serverURL" /etc/sysconfig/rhn/up2date
serverURL[comment]=Remote server URL
serverURL=https://xmlrpc.rhn.redhat.com/XMLRPC

#
 

I have searched and found a source RPM for HTTPD 2.4.3 (which then needs to be converted into an installable RPM using something like "rpmbuild").   The rpmbuild fails because of missing dependencies so I downloaded those dependencies.   One of the dependencies is itself a package that is not available for RHEL 5.7 -- so here I go again.

 

Does anyone know of an already built HTTPD 2.4+ for RHEL 5.7 with all depedencies resolved (so this would be a repo if I am not mistaken) ?

 

Thanks for any help.

 

--John H.

Responses

Our security people are running scans for PCI compliance and are saying we need at least HTTPD 2.2.12.   Our security people are also saying HTTPD 2.4 is out and we should just upgrade to that version.   The problem is that HTTPD 2.2.3 is the latest release for RHEL 5.7 that can be installed using "yum update httpd" and our Red Hat subscription.

If your security people say you should just upgrade to a newer version, then you may want to help them understand about enterprise software requirements like stability and maintainability. You may also want to give Backporting Security Fixes and What is backporting? a careful read.

 

Hi John, my name is Chris Robinson, I'm a Technical Account Manager here at Red Hat.  I also happen to be a CISSP that has a lot of background with PCI-compliance.  You have an interesting problem with your PCI compliance needs on HTTPD.  I'm guessing your Security folks are looking at Requirement 6.1 of the PCI DSS 2.0 ("6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor- supplied security patches installed. Install critical security patches within one month of release.").  

 

So if you go by the letter of the "law" (which PCI is NOT a legal or regulatory framework) you technically ARE in compliance.  httpd-2.2.3-65.el5_8 is the latest supplied version of that package Red Hat offers on RHEL5 (with RHEL6 only being slightly ahead of it on httpd-2.2.15-15.el6_2.1).  What is more interesting is WHY your Security group is advocating a higher version for HTTPD than we as a company provide?  Is there an exploitable issue?  If so, perhaps the problem they are identifying may have already been dealt with in an errata release.  Is there some vulnerability or CVE they are sighting as an issue, or are they merely getting a report back from some automated tool?  If there still continues to be a vulnerability, we absolutely can work with our development community and see if if can be addressed (if one is not already in flight).

 

To your question about "rolling your own", and somewhat to play off of what Ray commented above: Yes, you could package your own RPM, that's the amazing things about open source software is the control you can exert over it to make it do what you want it to do....but, doing so (as you have seen) isn't always smooth out of the gate, and you open yourself up to some operational issues down the road as you continue to work with and update this server.  I'd read through the links Ray suggested, and even pass those along to your internal partners.

 

Personally what I would do in your situation would be to talk to your InfoSec group and see what the root of their concern and suggestion is to see if you need to take more drastic measures.  Taking on the packaging and management of that setup will add operation expense and overhead to your team going forward, I'd rather rely on the value of the subscriptions you've already invested in and let Red Hat manage that for you (packaging, testing, validating, publishing. maintaining).  If there is a vulnerability, we'd LOVE to know about it so it can be addressed through our already-existing processes so that the whole community can benefit.  The Red Hat Security Response Team does a great job at identifying and correcting security holes, chances are the issues sited upstream have already been dealt with.

 

If you'd like to discuss this further, please feel free to reply back.  I hope this has been helpful.

 

Regards,

Chris Robinson

First let me thank-you Ray and Chris for your time.

 

Second,

I forwarded the discussion posts to my security people and now they are asking if we have the following packages (patches) installed.   These packages are for Security Advisory: RHSA-2011:1369-1.

 

httpd-2.2.13-3.el5s2.x86_64.rpm

httpd-devel-2.2.13-3.el5s2.x86_64.rpm

httpd-manual-2.2.13-3.el5s2.x86_64.rpm

mod_ssl-2.2.13-3.el5s2.x86_64.rpm

 

Where do I find these packages (for download) on the RHN (access.redhat.com –or- rhn.redhat.com) ?

 

I'm new to these discussions... Do I assign "points" or "votes" if someone gives me useful info?

 

Again, Thanks.

Hi John,

 

Below are the direct links to the packages:

httpd-2.2.13-3.el5s2.x86_64.rpm    https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=650632

httpd-devel-2.2.13-3.el5s2.x86_64.rpm https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=650633

httpd-manual-2.2.13-3.el5s2.x86_64.rpm https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=650634

mod_ssl-2.2.13-3.el5s2.x86_64.rpm https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=650635

 

I hope it helps.

 

Regards,

Anand

Hi John,

 

The RHSA-2011-1369 that your security people refer to is an erratum for the Red Hat Application Stack v2 product to address CVE-2011-3192 specifically. The Application Stack product is a fairly obscure one, and the installed httpd package versions you mentioned originally suggest that you have httpd packages for the regular Red Hat Enterprise Linux 5 product installed, not ones from the Application Stack product, so I find your security people's question quite confusing.

 

I'm going to assume that what your security people are really concerned about is whether your system is susceptible to CVE-2011-3192.

 

The RHEL5 erratum for CVE-2011-3192 is RHSA-2011-1245 dated 2011-08-31 which brought httpd package version 2.2.3-53.el5_7.1. That package version predates the one you have installed, so your installed version should not be affected by this CVE. To make this clear to your security people, you can run an "rpm -q --changelog httpd" on your system and point out the following entries in this changelog to them:

     * Wed Oct 26 2011 Joe Orton <jorton@redhat.com> - 2.2.3-57
     - updated patch for CVE-2011-3192 (#733061)
     - add security fix for CVE-2011-3368 (#743904)
and

     * Fri Sep 09 2011 Joe Orton <jorton@redhat.com> - 2.2.3-55
     - add security fix for CVE-2011-3192 (#733061, #736593)

 

I expect these to provide your security people with the reassurance I think they're really looking for.

 

HTH,

Ray