PDA

View Full Version : [ubuntu] How to force Ubuntu to upgrade Apache to 2.2.17



mrhuhk
January 11th, 2011, 09:07 AM
I have a PCI compliance notice sitting here telling me to upgrade to Apache 2.2.17. Thing is, Ubuntu is quite happy sitting on 2.2.16 (Ubuntu).

I understand that the Ubuntu folks' reasoning in rolling security updates back to 2.2.16, but I need to get an automated scan to shut up.

How do I do this?

sj1410
January 11th, 2011, 09:49 AM
what ubuntu version you are using

Thirtysixway
January 11th, 2011, 04:57 PM
I have a PCI compliance notice sitting here telling me to upgrade to Apache 2.2.17. Thing is, Ubuntu is quite happy sitting on 2.2.16 (Ubuntu).

I understand that the Ubuntu folks' reasoning in rolling security updates back to 2.2.16, but I need to get an automated scan to shut up.

How do I do this?

How is the scan obtaining the version number? If it's just scanning your website, you could change apache settings so instead of sending out the version number it just says apache.

http://httpd.apache.org/docs/2.0/mod/core.html#servertokens

mrhuhk
January 14th, 2011, 06:31 AM
what ubuntu version you are using

10.10 server

mrhuhk
January 14th, 2011, 06:32 AM
How is the scan obtaining the version number? If it's just scanning your website, you could change apache settings so instead of sending out the version number it just says apache.

http://httpd.apache.org/docs/2.0/mod/core.html#servertokens

I don't know how kosher that is. But, I may have to look into it.

Waappu
January 15th, 2011, 02:15 PM
Hi,

It might you check serverTokens directive
http://httpd.apache.org/docs/current/mod/core.html#servertokens

Thirtysixway
January 15th, 2011, 07:25 PM
I don't know how kosher that is. But, I may have to look into it.

It's a perfectly normal apache setting to change. A lot of major websites will switch it to only say Apache as keep people from knowning their exact versions etc.

ravingmad
August 29th, 2011, 03:17 PM
So is there actually a way to force Ubuntu to upgrade Apache to 2.2.19 ??

Is there a repository to add because "apt-get install apache" says I am up to date but I have v 2.2.14 and I would like to move to 2.2.19 for various reasons.

DanielDan
October 2nd, 2011, 08:28 PM
Anyone? I mean, this is really an important issue. With the DDoS vulnerability in apache, how is this not a priority?? Security updates should be released quickly.

Dangertux
October 2nd, 2011, 09:09 PM
There are multiple workarounds with out updating. I know I have posted several on this forum. There are also numerous solutions on the web available. Try googling it I can't post links ATM as I am on my phone.

Also it's not a DDoS just a DoS and security vulnerabilities are important however due to the fact it is a DoS and does not allow arbitrary code execution it is not going to be a top priority particularly considering it is very easy to control range header requests.

Edit : wow this is an old thread and not even related to CVE-2011-3192. Ugh to the OP the correct answer is don't hire compliance auditors that only use automated scanning tools.

DanielDan
October 3rd, 2011, 05:11 AM
Thanks Dangertux. I've been googling and that's what led me here. I'll search around for your previous posts. Cool blog btw. Interesting stuff.

Dangertux
October 3rd, 2011, 06:04 AM
Thanks Dangertux. I've been googling and that's what led me here. I'll search around for your previous posts. Cool blog btw. Interesting stuff.


Thanks -- I'm glad you like it, I should really reblog the 3 majorly accepted workarounds since I always go looking for them but here is one that works as well.

https://bechtsoudis.com/hacking/use-mod_rewrite-to-protect-from-apache-killer/

SeijiSensei
October 3rd, 2011, 06:37 AM
2.2.14-5ubuntu8.6 (https://launchpad.net/ubuntu/+source/apache2/2.2.14-5ubuntu8.6) for Lucid contains the patch for the range exploit. If you've updated recently and have that version, you should be protected.

I'm still using the "SetEnvIf Range" method that the Apache Foundation described (http://httpd.apache.org/security/CVE-2011-3192.txt) while they were developing the patch. I don't stream video or other large files where byte ranges matter.

See also http://www.ubuntu.com/usn/USN-1199-1/.

mmazing
April 24th, 2013, 01:25 AM
I love how nobody here has given anything resembling an answer to the original question as it was asked.

If someone wants to upgrade Apache to 2.2.17, they probably have a specific reason for doing so. Saying "well just trick the scan site" into thinking it's a proper version isn't an answer. Saying that you shouldn't bother to upgrade Apache isn't an answer.

This thread is a waste of time for anyone trying to upgrade Apache for whatever reason they want to.

CharlesA
April 24th, 2013, 06:18 AM
I love how nobody here has given anything resembling an answer to the original question as it was asked.

If someone wants to upgrade Apache to 2.2.17, they probably have a specific reason for doing so. Saying "well just trick the scan site" into thinking it's a proper version isn't an answer. Saying that you shouldn't bother to upgrade Apache isn't an answer.

This thread is a waste of time for anyone trying to upgrade Apache for whatever reason they want to.

No suggestions on how to upgrade Apache then?

The answer to the OP's question is here:



Edit : wow this is an old thread and not even related to CVE-2011-3192. Ugh to the OP the correct answer is don't hire compliance auditors that only use automated scanning tools.

That being said, the thread is from 2011 and was regarding Ubuntu 10.10, which is End of Life.