Updating httpd and fixing issues

Support for security such as Firewalls and securing linux
Post Reply
matthes134
Posts: 6
Joined: 2015/01/29 16:23:26

Updating httpd and fixing issues

Post by matthes134 » 2015/02/05 17:57:44

I have run a security test on my local site Cento os 6.5 _x86_64 bit and find many errors with the httpd apache version it is 2.2.15 and wants a later package but doing a yum update http, doesn’t provide any updates. I see on the apache.org site the latest is 2.4.12 but I have heard by compiling your own version you can break other parts of the Os that use apache? What risks to I have by doing this or is there a better way of updating?

User avatar
avij
Retired Moderator
Posts: 3043
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Updating httpd and fixing issues

Post by avij » 2015/02/05 18:21:58

What you should do is run yum update without any other arguments to update to CentOS 6.6. Cherry-picking updates like you tried to do is not supported.

You should also read https://access.redhat.com/security/updates/backporting/ , it mentions httpd as an example.

TL;DR: Do not trust security tests that check only the version number. They will produce incorrect results on CentOS and RHEL. rpm -q --changelog httpd | grep CVE will tell which vulnerabilities have been fixed in the installed version.

matthes134
Posts: 6
Joined: 2015/01/29 16:23:26

Re: Updating httpd and fixing issues

Post by matthes134 » 2015/02/05 19:21:51

thank you for your reply i did the yum update and im on 6.6 final now re ran the security scanner and I still come up with issues with http being out dated it says? I also run the sudo rpm -q --changelog httpd | grep CVE and didn't find all the patches list on the print out that the security scanner says are an issue? I have used Qualys Vulnerability scanner and Nexpose community edition scanner, both come back with similar issues with the Http version. A little confused what to do or if I should be worried about this vulnerabilities?

User avatar
avij
Retired Moderator
Posts: 3043
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Updating httpd and fixing issues

Post by avij » 2015/02/05 22:21:06

Which CVEs were still an issue? Please note that some vulnerabilities may not apply to the CentOS build of httpd for one reason or another. For example, httpd may have been compiled without the vulnerable functionality.

You can also refer to Red Hat's Bugzilla (example: https://bugzilla.redhat.com/show_bug.cg ... -2015-0235) or CVE database (example: https://access.redhat.com/security/cve/CVE-2015-0235) to see what Red Hat thinks of the vulnerabilities. You may see statements saying that "RHEL version x is not vulnerable to..", in which case you don't need to worry about that particular CVE on CentOS.

aks
Posts: 3056
Joined: 2014/09/20 11:22:14

Re: Updating httpd and fixing issues

Post by aks » 2015/02/06 18:47:42

As others have hinted to, the RHEL/CentOS version string in Apache does NOT equate to what is in the source repository at the project's website. RHEL/CentOS backport patches that are realeased in higher versions, back to the original version.
99.9% of "web scanners" read the version string and make a decision on that - not actually testing for real known vulnerabilities (to be fair, some scanners mark it as a warning rather than a problem).

jscarville
Posts: 126
Joined: 2014/06/17 21:50:37

Re: Updating httpd and fixing issues

Post by jscarville » 2015/02/09 23:10:11

Set the following in /etc/httpd/conf/httpd.conf

ServerTokens Prod
ServerSignature Off

This will stop Apache from reporting the revision and OS.

While you are at it, turn off tracing too:

TraceEnable off

Post Reply

Return to “CentOS 6 - Security Support”