Page 1 of 1

Centos 8 httpd updates

Posted: 2020/05/22 12:33:45
by ny_infra_user1
The latest version of Apache httpd for Centos 8 I can find is 2.4.37 from the Centos 8 AppStream Repository, unless I download the source code direct from Apache and compile. I understand self compiled versions is not recommended.

This version is showing a number of vulnerabilities when being scanned by our vulnerability scanner.

Anyone any ideas of when a later version is due to come out for Centos 8, or if there are any other repositories out there with a later version for Centos 8?

Re: Centos 8 httpd updates

Posted: 2020/05/22 12:59:01
by jlehtone
CentOS 8 has httpd-2.4.37-16.module_el8.1.0+256+ae790463
RHEL 8.2 has httpd-2.4.37-21.module+el8.2.0+5008+cca404a3 (or later).

CentOS is derived from RHEL.
CentOS 8.0-1905 was released 140 days after RHEL 8.0
CentOS 8.1-1911 was released 71 days after RHEL 8.1
CentOS 8.2-2004 will be released when it is ready, and packages can be expected in CR repo of CentOS 8.1-1911 well before that.

Re: Centos 8 httpd updates

Posted: 2020/05/22 13:14:44
by TrevorH
You cannot judge the security of the CentOS package based only on its version number as Red Hat backport security fixes to their versions. Check the output from rpm -q --changelog httpd | less to see what CVEs have been fixed. And see https://access.redhat.com/security/updates/backporting for more information on how security patching works in RHEL/CentOS.

Re: Centos 8 httpd updates

Posted: 2020/05/22 14:13:41
by ny_infra_user1
Thanks for you replies, I have been trying to prove that I have the latest version of httpd on the servers as I have updated them from the AppsStream Repository Mirrors, but the vulnerability scanner is reporting issues and my manager keeps coming back to me every time he sees it to ask if I can fix them & get a later version.

I have said on several occasions that I have the up to date version, but wanted to ensure I am correct.

The scanner must be just checking the version no. and saying it needs to be updated, but I want to ensure I definitely have the latest version available for Centos 8. Hopefully the output from rpm -q --changelog httpd | less, will help me prove the point.

Many thanks guys.

Re: Centos 8 httpd updates

Posted: 2020/05/31 06:00:25
by kluch
Hi, I had the same situation with Nessus. Solution was to set "ServerTokens Prod" in Apache conf (scanner probably read useless Apache banner).

Re: Centos 8 httpd updates

Posted: 2020/06/03 14:58:59
by ny_infra_user1
Thank you for the tip.

We will test that on our DEV/TEST servers first and see if it makes a difference.