Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: How to force Ubuntu to upgrade Apache to 2.2.17

  1. #1
    Join Date
    Jan 2011
    Beans
    7

    How to force Ubuntu to upgrade Apache to 2.2.17

    I have a PCI compliance notice sitting here telling me to upgrade to Apache 2.2.17. Thing is, Ubuntu is quite happy sitting on 2.2.16 (Ubuntu).

    I understand that the Ubuntu folks' reasoning in rolling security updates back to 2.2.16, but I need to get an automated scan to shut up.

    How do I do this?

  2. #2
    Join Date
    Mar 2008
    Location
    Indore, India
    Beans
    233
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: How to force Ubuntu to upgrade Apache to 2.2.17

    what ubuntu version you are using

  3. #3
    Join Date
    Jun 2007
    Location
    Houghton, MI
    Beans
    453
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: How to force Ubuntu to upgrade Apache to 2.2.17

    Quote Originally Posted by mrhuhk View Post
    I have a PCI compliance notice sitting here telling me to upgrade to Apache 2.2.17. Thing is, Ubuntu is quite happy sitting on 2.2.16 (Ubuntu).

    I understand that the Ubuntu folks' reasoning in rolling security updates back to 2.2.16, but I need to get an automated scan to shut up.

    How do I do this?
    How is the scan obtaining the version number? If it's just scanning your website, you could change apache settings so instead of sending out the version number it just says apache.

    http://httpd.apache.org/docs/2.0/mod...l#servertokens
    Ubuntu 14.04 Server
    -Linode 1GB
    Lubuntu 14.04 Laptop
    -Toshiba Satellite A505-6005, 250GB hdd / 250GB hdd (partitioned), Intel i3, 4.00 GB ram

  4. #4
    Join Date
    Jan 2011
    Beans
    7

    Re: How to force Ubuntu to upgrade Apache to 2.2.17

    Quote Originally Posted by sj1410 View Post
    what ubuntu version you are using
    10.10 server

  5. #5
    Join Date
    Jan 2011
    Beans
    7

    Re: How to force Ubuntu to upgrade Apache to 2.2.17

    Quote Originally Posted by Thirtysixway View Post
    How is the scan obtaining the version number? If it's just scanning your website, you could change apache settings so instead of sending out the version number it just says apache.

    http://httpd.apache.org/docs/2.0/mod...l#servertokens
    I don't know how kosher that is. But, I may have to look into it.

  6. #6
    Join Date
    Dec 2006
    Location
    Finland
    Beans
    859
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How to force Ubuntu to upgrade Apache to 2.2.17

    Hi,

    It might you check serverTokens directive
    http://httpd.apache.org/docs/current...l#servertokens
    Regards,
    Jari

  7. #7
    Join Date
    Jun 2007
    Location
    Houghton, MI
    Beans
    453
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: How to force Ubuntu to upgrade Apache to 2.2.17

    Quote Originally Posted by mrhuhk View Post
    I don't know how kosher that is. But, I may have to look into it.
    It's a perfectly normal apache setting to change. A lot of major websites will switch it to only say Apache as keep people from knowning their exact versions etc.
    Ubuntu 14.04 Server
    -Linode 1GB
    Lubuntu 14.04 Laptop
    -Toshiba Satellite A505-6005, 250GB hdd / 250GB hdd (partitioned), Intel i3, 4.00 GB ram

  8. #8
    Join Date
    Sep 2007
    Beans
    36

    Re: How to force Ubuntu to upgrade Apache to 2.2.17

    So is there actually a way to force Ubuntu to upgrade Apache to 2.2.19 ??

    Is there a repository to add because "apt-get install apache" says I am up to date but I have v 2.2.14 and I would like to move to 2.2.19 for various reasons.

  9. #9
    Join Date
    Oct 2011
    Beans
    3

    Re: How to force Ubuntu to upgrade Apache to 2.2.17

    Anyone? I mean, this is really an important issue. With the DDoS vulnerability in apache, how is this not a priority?? Security updates should be released quickly.

  10. #10
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: How to force Ubuntu to upgrade Apache to 2.2.17

    There are multiple workarounds with out updating. I know I have posted several on this forum. There are also numerous solutions on the web available. Try googling it I can't post links ATM as I am on my phone.

    Also it's not a DDoS just a DoS and security vulnerabilities are important however due to the fact it is a DoS and does not allow arbitrary code execution it is not going to be a top priority particularly considering it is very easy to control range header requests.

    Edit : wow this is an old thread and not even related to CVE-2011-3192. Ugh to the OP the correct answer is don't hire compliance auditors that only use automated scanning tools.
    Last edited by Dangertux; October 2nd, 2011 at 09:12 PM.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •