Centos 8 httpd updates

Support for security such as Firewalls and securing linux
ny_infra_user1
Posts: 4
Joined: 2018/05/11 15:30:56

Centos 8 httpd updates

Post by ny_infra_user1 » 2020/05/22 12:33:45

The latest version of Apache httpd for Centos 8 I can find is 2.4.37 from the Centos 8 AppStream Repository, unless I download the source code direct from Apache and compile. I understand self compiled versions is not recommended.

This version is showing a number of vulnerabilities when being scanned by our vulnerability scanner.

Anyone any ideas of when a later version is due to come out for Centos 8, or if there are any other repositories out there with a later version for Centos 8?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Centos 8 httpd updates

Post by jlehtone » 2020/05/22 12:59:01

CentOS 8 has httpd-2.4.37-16.module_el8.1.0+256+ae790463
RHEL 8.2 has httpd-2.4.37-21.module+el8.2.0+5008+cca404a3 (or later).

CentOS is derived from RHEL.
CentOS 8.0-1905 was released 140 days after RHEL 8.0
CentOS 8.1-1911 was released 71 days after RHEL 8.1
CentOS 8.2-2004 will be released when it is ready, and packages can be expected in CR repo of CentOS 8.1-1911 well before that.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 8 httpd updates

Post by TrevorH » 2020/05/22 13:14:44

You cannot judge the security of the CentOS package based only on its version number as Red Hat backport security fixes to their versions. Check the output from rpm -q --changelog httpd | less to see what CVEs have been fixed. And see https://access.redhat.com/security/updates/backporting for more information on how security patching works in RHEL/CentOS.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

ny_infra_user1
Posts: 4
Joined: 2018/05/11 15:30:56

Re: Centos 8 httpd updates

Post by ny_infra_user1 » 2020/05/22 14:13:41

Thanks for you replies, I have been trying to prove that I have the latest version of httpd on the servers as I have updated them from the AppsStream Repository Mirrors, but the vulnerability scanner is reporting issues and my manager keeps coming back to me every time he sees it to ask if I can fix them & get a later version.

I have said on several occasions that I have the up to date version, but wanted to ensure I am correct.

The scanner must be just checking the version no. and saying it needs to be updated, but I want to ensure I definitely have the latest version available for Centos 8. Hopefully the output from rpm -q --changelog httpd | less, will help me prove the point.

Many thanks guys.

kluch
Posts: 10
Joined: 2020/05/31 05:47:54

Re: Centos 8 httpd updates

Post by kluch » 2020/05/31 06:00:25

Hi, I had the same situation with Nessus. Solution was to set "ServerTokens Prod" in Apache conf (scanner probably read useless Apache banner).

ny_infra_user1
Posts: 4
Joined: 2018/05/11 15:30:56

Re: Centos 8 httpd updates

Post by ny_infra_user1 » 2020/06/03 14:58:59

Thank you for the tip.

We will test that on our DEV/TEST servers first and see if it makes a difference.

dfg333
Posts: 1
Joined: 2020/11/06 08:49:13

Re: Centos 8 httpd updates

Post by dfg333 » 2020/11/06 08:59:10

Same problem in Nov 2020, on Centos 8.

Code: Select all

$ sudo yum install httpd
Last metadata expiration check: 1:58:49 ago on Fri 06 Nov 2020 02:38:55 PM.
Package httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

$ httpd -v
Server version: Apache/2.4.37 (centos)
Server built:   Sep 15 2020 15:41:16
But site checkers like https://sitecheck.sucuri.net/ say:
Outdated Software Detected : Apache under 2.4.44

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 8 httpd updates

Post by TrevorH » 2020/11/06 18:01:46

Try reading the other answers in this thread which already contain solutions or explanations.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: Centos 8 httpd updates

Post by tunk » 2020/11/06 18:03:06

Please reread Trevor's reply above, in particular the link.

Tiraflo
Posts: 4
Joined: 2020/12/08 16:51:05

Re: Centos 8 httpd updates

Post by Tiraflo » 2020/12/08 17:03:21

Dear all, dear TrevorH,

Thank you for this complete explanation.

I'm currently struggling with vulnerabilities for the same version (2.4.37 ; the latest available one for CentOS 8). One of those is named CVE-2018-17189.
CVE-2018-17189 is not mentioned in the changelog. I guess it simply means the related fix has not been backported.
In this situation, what else can I do to solve the security issue?

Thank you and regards.

Post Reply