Need to upgrade http to the latest version(2.4.58)

Support for security such as Firewalls and securing linux
Post Reply
telxsi
Posts: 3
Joined: 2024/02/06 05:11:13

Need to upgrade http to the latest version(2.4.58)

Post by telxsi » 2024/02/06 06:14:30

As per the Apache release, the latest version of HTTP is 2.4.58, but we are not able to update to the latest version in the Centos 9 stream. even after reinstalling the version still 2.4.57.

User avatar
TrevorH
Site Admin
Posts: 33163
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need to upgrade http to the latest version(2.4.58)

Post by TrevorH » 2024/02/06 10:23:00

You need to read https://access.redhat.com/security/updates/backporting/ for information on backporting of security fixes and features in CentOS and RHEL. Additionally https://access.redhat.com/solutions/2074 may also be of use.

Upgrading to the current upstream version is not how CentOS/RHEL works.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: Need to upgrade http to the latest version(2.4.58)

Post by tunk » 2024/02/06 14:50:16

And if security is a concern, then Stream may not be the best choice:
Stream is a rolling pre-release (aka. beta) of the next RHEL point
release. It may be better to use one of the RHEL clones/rebuilds like
Rocky, Alma, OEL etc.

User avatar
TrevorH
Site Admin
Posts: 33163
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need to upgrade http to the latest version(2.4.58)

Post by TrevorH » 2024/02/06 15:01:35

The changelog for 2.4.58 lists the following CVEs as fixed and these are the links to the RH info about those.

https://access.redhat.com/security/cve/CVE-2023-45802
https://access.redhat.com/security/cve/CVE-2023-43622
https://access.redhat.com/security/cve/CVE-2023-31122
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

telxsi
Posts: 3
Joined: 2024/02/06 05:11:13

Re: Need to upgrade http to the latest version(2.4.58)

Post by telxsi » 2024/02/08 07:54:43

There is a Tenable report that says HTTP version 2.4.57 is vulnerable and needs to be upgraded to the latest version. While checking there is no repo for 2.4.58. Is it possible to update the HTTP to the latest version in Centos 9 stream??

User avatar
jlehtone
Posts: 4512
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Need to upgrade http to the latest version(2.4.58)

Post by jlehtone » 2024/02/08 09:12:59

Did you read the description of backporting? The "2.4.57" in RHEL is not the 2.4.57.

telxsi
Posts: 3
Joined: 2024/02/06 05:11:13

Re: Need to upgrade http to the latest version(2.4.58)

Post by telxsi » 2024/02/08 09:52:55

Yes. I understood the backporting, But could you please tell me how can we provide proof against it to get an exception from the vulnerability incident? We will need proof that this version is not vulnerable. Is that possible?

User avatar
TrevorH
Site Admin
Posts: 33163
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need to upgrade http to the latest version(2.4.58)

Post by TrevorH » 2024/02/08 11:10:18

Read the CVE links to RH that I posted. They often have mitigations that you can use. If and when they fix them in RHEL then they will be fixed in the rebuilds. Stream is a special case and may not get the fix until later or maybe it'll get it first.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4512
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Need to upgrade http to the latest version(2.4.58)

Post by jlehtone » 2024/02/08 12:49:57

telxsi wrote:
2024/02/08 09:52:55
We will need proof
If you do need proof, then you probably have a "production system" and one does not use CentOS Stream for production.


Take a system that you do know to be vulnerable and exploit the vulnerability. Now you know that your exploit "works".
Then repeat on your CentOS Stream system. If the exploit "succeeds" there too, then Stream is vulnerable.
Alas, your failure to exploit a Stream system is not complete proof that Stream is not vulnerable.

User avatar
TrevorH
Site Admin
Posts: 33163
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need to upgrade http to the latest version(2.4.58)

Post by TrevorH » 2024/02/08 13:05:49

Also Tenable checks often use the service "banner" information to determine if a system is vulnerable. It does not check if the exploit actually is present, it just looks at the banner returned in the e.g. http headers and says "oh, httpd 2.4.57 is not 2.4.58" and does not check if it is actually exploitable. Red Hat backports do not change the version number even when the problem is fixed so these sorts of checks are often unreliable.

In this particular case the CVE pages say that RH have not yet fixed the problem. For one of the vulnerabilities there is a documented bypass for the problem in that CVE page https://access.redhat.com/security/cve/CVE-2023-31122 and a 2nd one says "During "normal" HTTP/2 use, the probability of encountering this issue is very low".
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply