How to upgrade Apache from 2.2.3 to 2.2.21
Using YUM I installed apache. Installed apache version is 2.2.3
Our security guy wants that we use 2.2.21 apache
When I try yum update 'httpd' nothing happens - No Packages marked for Update
I checked Apache home page (http://www.apache.org/dist/httpd/patches/) regarding patches. Based on their written instruction I try to install 2.2.4 patch (http://www.apache.org/dist/httpd/patches/apply_to_2.2.4/)
patch -s < /usr/local/src/hack-msvc8-httpd-2.2.4.patch
And I got such message:
The text leading up to this was:
|###
|### A trivial hack to copy the .manifest files along with the binaries
|### when building from the command line on Visual Studio 2005
|###
|### Courtesy of Gustavo Lopes
|### Posted to [email protected],
|### Message-ID: <006901c731ae$97bec180$0201a8c0@cataphract>
|###
|--- Makefile.win.orig 2006-12-07 11:09:37.000000000 -0600
|+++ Makefile.win 2007-01-08 23:55:56.000000000 -0600
File to patch:
What I am doing incorrect? Why I can not update Apatche to 2.2.21 version?
In order to run 2.2.x you would either need to source another RPM - or build it from source.
I would suspect however since you are running 2.2.3 that you are running RedHat Enterprise Linux 5 or one of its derivatives (CentOS 5 etc). You will find that a sizeable number of penetration testing companies or security officers don't take into account that whilst you are running 2.2.3 you have actually got security fixes from later revisions of Apache.
This is known as 'backporting'. RedHat has a good description here. I would suggest requesting from your security persons the specific CVE's that they are interested in ensuring that are patched, and then use this redhat tool to identify if these are fixed in the version of apache that you are running. You can get the version number by preforming rpm -qa httpd
.
I assume you have RHEL5 (or the equivalent).
You can tell the security guy that Red Hat applies the relevant security updates from 2.2.21 to its 2.2.3 package, but doesn't change the base version number. It will (if you're just going by package version number) look like you're running the older Apache, but you in fact be as secure as 2.2.21. That's sort of the point of long-lived enterprise distributions: you get consistency, as well as fixes.
You can verify this by running something like:
rpm -q --changelog httpd
For example, you'll see this recent fix in the changelog:
* Thu Oct 06 2011 Joe Orton <[email protected]> - 2.2.3-53.3
- add security fix for CVE-2011-3368 (#743903)
- fix regressions in byterange handling (#736593)
If you really, really need to install 2.2.21, you can compile it yourself. This will have its own bad security implications: if someone finds and fixes a new problem with Apache next week, Red Hat will backport that fix and make it available through yum, but your own self-built Apache will not have that fix, and you'll have to go through the whole process again to build and install a new Apache.
To build a custom Apache on Red Hat (or CentOS) directly from upstream, you should do the following:
- Install the following tools: "yum install rpm-devel rpmdevtools rpm-build"
- As a regular user, run rpmdev-setuptree. It will create a directory called "rpmbuild".
- cd to ~/rpmbuild/SOURCE and download into that directory the Apache source tarball from httpd.apache.org.
- Extract from that tarball the file "httpd.spec" and copy it into ~/rpmbuild/SPECS
- Run "rpmbuild -bb httpd.spec" and it will start compiling and build the rpms. If there is any missing dependencies, it will halt and tell you. At that point, install those packages via yum and restart the build process again (you can avoid this by looking at the BuildPrereq line in .spec file). Otherwise, assuming no further issues, you will be able to compile your own build of Apache.*
Or save yourself the work and let Red Hat handle the updates. I do not recommend you do this unless there is a specific need for an upstream build that cannot absolutely be satisfied by a vendor build
*Note: Under Red Hat 6, distcache is no longer supported, so you will need to remove "--enable-distcache" from the .spec file.
The patch you've tried to apply is for building with Microsoft Visual Studio. The clue is in the header of the patch:
### A trivial hack to copy the .manifest files along with the binaries
### when building from the command line on Visual Studio 2005
This doesn't actually patch an Apache source tree to 2.2.4. But were you actually trying to apply this to the SRPM?
As cjc mentions Red Hat backport security fixes to whatever version they ship but the version number doesn't necessarily get bumped. And again, you can always compile Apache yourself.