Page 1 of 2

Centos 8 httpd updates

Posted: 2020/05/22 12:33:45
by ny_infra_user1
The latest version of Apache httpd for Centos 8 I can find is 2.4.37 from the Centos 8 AppStream Repository, unless I download the source code direct from Apache and compile. I understand self compiled versions is not recommended.

This version is showing a number of vulnerabilities when being scanned by our vulnerability scanner.

Anyone any ideas of when a later version is due to come out for Centos 8, or if there are any other repositories out there with a later version for Centos 8?

Re: Centos 8 httpd updates

Posted: 2020/05/22 12:59:01
by jlehtone
CentOS 8 has httpd-2.4.37-16.module_el8.1.0+256+ae790463
RHEL 8.2 has httpd-2.4.37-21.module+el8.2.0+5008+cca404a3 (or later).

CentOS is derived from RHEL.
CentOS 8.0-1905 was released 140 days after RHEL 8.0
CentOS 8.1-1911 was released 71 days after RHEL 8.1
CentOS 8.2-2004 will be released when it is ready, and packages can be expected in CR repo of CentOS 8.1-1911 well before that.

Re: Centos 8 httpd updates

Posted: 2020/05/22 13:14:44
by TrevorH
You cannot judge the security of the CentOS package based only on its version number as Red Hat backport security fixes to their versions. Check the output from rpm -q --changelog httpd | less to see what CVEs have been fixed. And see https://access.redhat.com/security/updates/backporting for more information on how security patching works in RHEL/CentOS.

Re: Centos 8 httpd updates

Posted: 2020/05/22 14:13:41
by ny_infra_user1
Thanks for you replies, I have been trying to prove that I have the latest version of httpd on the servers as I have updated them from the AppsStream Repository Mirrors, but the vulnerability scanner is reporting issues and my manager keeps coming back to me every time he sees it to ask if I can fix them & get a later version.

I have said on several occasions that I have the up to date version, but wanted to ensure I am correct.

The scanner must be just checking the version no. and saying it needs to be updated, but I want to ensure I definitely have the latest version available for Centos 8. Hopefully the output from rpm -q --changelog httpd | less, will help me prove the point.

Many thanks guys.

Re: Centos 8 httpd updates

Posted: 2020/05/31 06:00:25
by kluch
Hi, I had the same situation with Nessus. Solution was to set "ServerTokens Prod" in Apache conf (scanner probably read useless Apache banner).

Re: Centos 8 httpd updates

Posted: 2020/06/03 14:58:59
by ny_infra_user1
Thank you for the tip.

We will test that on our DEV/TEST servers first and see if it makes a difference.

Re: Centos 8 httpd updates

Posted: 2020/11/06 08:59:10
by dfg333
Same problem in Nov 2020, on Centos 8.

Code: Select all

$ sudo yum install httpd
Last metadata expiration check: 1:58:49 ago on Fri 06 Nov 2020 02:38:55 PM.
Package httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

$ httpd -v
Server version: Apache/2.4.37 (centos)
Server built:   Sep 15 2020 15:41:16
But site checkers like https://sitecheck.sucuri.net/ say:
Outdated Software Detected : Apache under 2.4.44

Re: Centos 8 httpd updates

Posted: 2020/11/06 18:01:46
by TrevorH
Try reading the other answers in this thread which already contain solutions or explanations.

Re: Centos 8 httpd updates

Posted: 2020/11/06 18:03:06
by tunk
Please reread Trevor's reply above, in particular the link.

Re: Centos 8 httpd updates

Posted: 2020/12/08 17:03:21
by Tiraflo
Dear all, dear TrevorH,

Thank you for this complete explanation.

I'm currently struggling with vulnerabilities for the same version (2.4.37 ; the latest available one for CentOS 8). One of those is named CVE-2018-17189.
CVE-2018-17189 is not mentioned in the changelog. I guess it simply means the related fix has not been backported.
In this situation, what else can I do to solve the security issue?

Thank you and regards.