Hello,
I'd like to update apache to the latest stable version 2.4.25 (released 2016-12-20).
Apt tells me that apache is already at the latest version. However, currently I only have Apache 2.4.10 installed. Afaik there are some vulnerabilities prior to 2.4.16 that I'd like to avoid.
My sources.list:
main sourcesdeb http://debian.intergenia.de/debian/ jessie main contrib non-free deb-src http://debian.intergenia.de/debian/ jessie main contrib non-free
deb http://httpredir.debian.org/debian jessie main deb-src http://httpredir.debian.org/debian jessie main
deb http://httpredir.debian.org/debian jessie-updates main deb-src http://httpredir.debian.org/debian jessie-updates main
securitydeb http://debian.intergenia.de/debian-security/ jessie/updates main contrib non-free deb-src http://debian.intergenia.de/debian-security/ jessie/updates main contrib non-free
deb http://security.debian.org/ jessie/updates main deb-src http://security.debian.org/ jessie/updates main
deb http://software.virtualmin.com/gpl/debian/ virtualmin-jessie main
Running Debian 8 Jessie on Linux 3.16.0-4-amd64
Thanks for any tips.
Apache 2.4.10 is default version for Debian 8. Now not sure with Debain but i suspect it should be the same as for Centos, so all patches will be backported to your version. In case you really need 2.4.25 (but why?) then you must uninstall current version and install the one you want. Just pay attention - in most cases it will not work "out of the box" and you can expect a lot of problems.
You should really read and learn before you start any change or pursuing some magical version numbers.
For example: https://www.debian.org/News/2016/20160917
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Hi, thanks for the reply.
As far as I know apache versions prior to 2.4.16 allow distributed denial of service attacks over the mod_lua module. Same vulnerabilities can be found in the red_request and apt_some_auth_required functions. Additionally versions prior to 2.4.12 allow attackers to crash the daemon with a handle_readers vulnerability when FastCGI is used. There are some more vulnerabilities that would, however, not affect my server so I didn't pursue them.
source: http://httpd.apache.org/security/vulnerabilities_24.html
I thought security updates would always be included in the Debian security repo.
I guess I'll stay with 2.4.10 then.
They will, like i said all patches and bug-fixes will be backported to 2.4.10. So as long as you have Debian 8 your Apache version will most likely not change, but will be updated with all patches against all bugs and vulnerabilities. This is done to get stable OS where software version will not (often) upgrade, otherwise with every change you would get even more bugs or exploits to patch.
You cant just read something and automatically apply as fact. First you should learn about your OS and then see if some suggestions can apply to your situation or not.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Oh, I see. Thanks for the post. Good to know
Howdy,
Yeah as Diabolico mentioned distro's backport fixes into the software versions they ship. For stability reasons, they don't make major version changes to their software.
What you may want to do, is look for the "CVE" number associated with the vulnerability you wish to look into, and then just Google it. For example, looking at the security list you mentioned, mod_lua has a vulnerability there described as "mod_lua: Crash in websockets PING handling". The CVE number for that is "CVE-2015-0228".
If you were to Google "debian CVE-2015-0228", that brings up this Debian report showing that it's been corrected:
https://security-tracker.debian.org/tracker/CVE-2015-0228
Hopefully that helps!
-Eric