Centos 8 httpd updates

Support for security such as Firewalls and securing linux
Post Reply
ny_infra_user1
Posts: 4
Joined: 2018/05/11 15:30:56

Centos 8 httpd updates

Post by ny_infra_user1 » 2020/05/22 12:33:45

The latest version of Apache httpd for Centos 8 I can find is 2.4.37 from the Centos 8 AppStream Repository, unless I download the source code direct from Apache and compile. I understand self compiled versions is not recommended.

This version is showing a number of vulnerabilities when being scanned by our vulnerability scanner.

Anyone any ideas of when a later version is due to come out for Centos 8, or if there are any other repositories out there with a later version for Centos 8?

User avatar
jlehtone
Posts: 2865
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Centos 8 httpd updates

Post by jlehtone » 2020/05/22 12:59:01

CentOS 8 has httpd-2.4.37-16.module_el8.1.0+256+ae790463
RHEL 8.2 has httpd-2.4.37-21.module+el8.2.0+5008+cca404a3 (or later).

CentOS is derived from RHEL.
CentOS 8.0-1905 was released 140 days after RHEL 8.0
CentOS 8.1-1911 was released 71 days after RHEL 8.1
CentOS 8.2-2004 will be released when it is ready, and packages can be expected in CR repo of CentOS 8.1-1911 well before that.

User avatar
TrevorH
Forum Moderator
Posts: 28823
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 8 httpd updates

Post by TrevorH » 2020/05/22 13:14:44

You cannot judge the security of the CentOS package based only on its version number as Red Hat backport security fixes to their versions. Check the output from rpm -q --changelog httpd | less to see what CVEs have been fixed. And see https://access.redhat.com/security/updates/backporting for more information on how security patching works in RHEL/CentOS.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

ny_infra_user1
Posts: 4
Joined: 2018/05/11 15:30:56

Re: Centos 8 httpd updates

Post by ny_infra_user1 » 2020/05/22 14:13:41

Thanks for you replies, I have been trying to prove that I have the latest version of httpd on the servers as I have updated them from the AppsStream Repository Mirrors, but the vulnerability scanner is reporting issues and my manager keeps coming back to me every time he sees it to ask if I can fix them & get a later version.

I have said on several occasions that I have the up to date version, but wanted to ensure I am correct.

The scanner must be just checking the version no. and saying it needs to be updated, but I want to ensure I definitely have the latest version available for Centos 8. Hopefully the output from rpm -q --changelog httpd | less, will help me prove the point.

Many thanks guys.

kluch
Posts: 3
Joined: 2020/05/31 05:47:54

Re: Centos 8 httpd updates

Post by kluch » 2020/05/31 06:00:25

Hi, I had the same situation with Nessus. Solution was to set "ServerTokens Prod" in Apache conf (scanner probably read useless Apache banner).

ny_infra_user1
Posts: 4
Joined: 2018/05/11 15:30:56

Re: Centos 8 httpd updates

Post by ny_infra_user1 » 2020/06/03 14:58:59

Thank you for the tip.

We will test that on our DEV/TEST servers first and see if it makes a difference.

Post Reply

Return to “CentOS 8 - Security Support”