How to force Ubuntu to upgrade Apache to 2.2.17

[mrhuhk]

I have a PCI compliance notice sitting here telling me to upgrade to Apache 2.2.17. Thing is, Ubuntu is quite happy sitting on 2.2.16 (Ubuntu).

I understand that the Ubuntu folks' reasoning in rolling security updates back to 2.2.16, but I need to get an automated scan to shut up.

How do I do this?

[sj1410]

what ubuntu version you are using

[Thirtysixway]

I have a PCI compliance notice sitting here telling me to upgrade to Apache 2.2.17. Thing is, Ubuntu is quite happy sitting on 2.2.16 (Ubuntu).

I understand that the Ubuntu folks' reasoning in rolling security updates back to 2.2.16, but I need to get an automated scan to shut up.

How do I do this?

How is the scan obtaining the version number? If it's just scanning your website, you could change apache settings so instead of sending out the version number it just says apache.

http://httpd.apache.org/docs/2.0/mod...l#servertokens

[mrhuhk]

what ubuntu version you are using

10.10 server

[mrhuhk]

How is the scan obtaining the version number? If it's just scanning your website, you could change apache settings so instead of sending out the version number it just says apache.

http://httpd.apache.org/docs/2.0/mod...l#servertokens

I don't know how kosher that is. But, I may have to look into it.

[Waappu]

Hi,

It might you check serverTokens directive
http://httpd.apache.org/docs/current...l#servertokens

[Thirtysixway]

I don't know how kosher that is. But, I may have to look into it.

It's a perfectly normal apache setting to change. A lot of major websites will switch it to only say Apache as keep people from knowning their exact versions etc.

[ravingmad]

So is there actually a way to force Ubuntu to upgrade Apache to 2.2.19 ??

Is there a repository to add because "apt-get install apache" says I am up to date but I have v 2.2.14 and I would like to move to 2.2.19 for various reasons.

[DanielDan]

Anyone? I mean, this is really an important issue. With the DDoS vulnerability in apache, how is this not a priority?? Security updates should be released quickly.

[Dangertux]

There are multiple workarounds with out updating. I know I have posted several on this forum. There are also numerous solutions on the web available. Try googling it I can't post links ATM as I am on my phone.

Also it's not a DDoS just a DoS and security vulnerabilities are important however due to the fact it is a DoS and does not allow arbitrary code execution it is not going to be a top priority particularly considering it is very easy to control range header requests.

Edit : wow this is an old thread and not even related to CVE-2011-3192. Ugh to the OP the correct answer is don't hire compliance auditors that only use automated scanning tools.