I'm using Karaf 4.2.3 over JDK 1.8. I had ran a Black Duck Scan, and it is pointing to Apache ActiveMQ -5.15.9 with some vulnerabilities, one of them is critical. I'd like to know if it is possible to get this updated to the recommended version which is 5.17.1. Please if you have some advice it'd be highly appreciated. I'd like to point out that in the current project, I'm not really using ActiveMQ.
ActiveMQ 5.17.1 requires Java 11 so you won't be able to use that. You should upgrade to ActiveMQ 5.16.5 instead. It's the latest version which supports Java 8. That said, if you're not using ActiveMQ in your project then the simplest (and most secure) thing you can do is just remove it.
Related
Currently, we are planning to upgrade our complete web-server node in production.
Platform is RHEL 7.1 and currently apache 2.4.6 is running there.
I also got to know from red-hat that apache 2.4.6 is directly shipped with RHEL7 and for 2.4.26 or 2.4.29, they can't comment regarding it's technical feasibility part along with it's stability on RHEL platform.
I have few concerns now :
Is going ahead with apache 2.4.26 or 2.4.29 in production would be a good option or should i get stuck with the current one ? I am doubtful whether 2.4.26 or 2.4.29 are been tested on RHEL 7 series and is technically compatible.
I tried to install apache 2.4.26 and 2.4.29 on my test-bed first ( which is a RHEL 7.4 platform ) and i came across package dependency issues which proved out to be a blocker for me. I am afraid that i might face these issues on production as well which would be very dangerous. Have you ever faced this on your system too ?
Looking out for your kind support and feedback here ... !!!
Best Regards,
looking at : httpd direct rpm download
it seems that the last supported version is httpd-2.4.6-80.el7.x86_64.rpm
so do not try update your production environment with unsupported software, stick to releases !
upgrading to RHEL7.4 seems to be trouble-maker (as far as i heard : [source required !] )
i got no feedback about RHEL7.5
We are running a large amount of old EC2 instances which are based on Amazon Linux AMI 2014.09, a pretty old version.
We have recently built mod_jk on one of them that so that we can front Tomcat with Apache Web server 2.4.
We are in the process of identifying the dependencies of this mod_jk module. Can we re-use the mod_jk.so library that we just built with newer versions of the OS? We are running a large number of instances, so we would like to cut out the whole "building binaries from sources" step, so our ideal setup would be to take the current mod_jk.so binary and deploy it in all other EC2 instances.
The question is: can we safely do it? If not, when do we need to rebuild it? For example:
Do we need to rebuild it if we decide to launch EC2 instances with the latest Amazon Linux AMI, which is 3 years newer?
Do we need to rebuild it if the Apache's version is different?
Thank you in advance,
Meletis
I have a couple of precompiled mod_jk's in order to avoid just this cases. As per my own experience, I must recompile it in this scenarios:
Different Apache version (2.2/2.4)
Apache 32/64bits
As I stated before, according to this, you should have no more than 4 built mod_jk binaries to choose the right one from.
I could not tell you wether this is a best practice (probably not), but I have use this already built mod_jk in different Linux distributions and versions of Fedora, CentOS, Red Hat and Debian.
A penetration test has recently identified that one of our RHEL(6.7) servers running Apache 2.2.15 is vulnerable on a number of points and needs to be updated to the latest version 2.4. I have run yum update and it says that there are no packages marked for update. I understand that I will need to download the updates manually. There are a few questions I have around the requirement to upgrade Apache.
I am up to date on the 2.2 version tree. Does this mean that any security patches made to version 2.4 will be back patched to version 2.2.X as well?
I am running PHP (version 5.3.3) and MySQL (version 5.1.73) - will these be affected by upgrading the Apache version (Google tells me that there is no problem on both fronts - but I thought I'd ask before I started down this route).
If you experts tell me that I have no other choice but to upgrade, then I'm planning on using the instruction set here: https://unix.stackexchange.com/questions/138899/centos-install-using-yum-apache-2-4
Thank you in advance for your advice.
You could download the 2.4 source code from the Apache site and compile it. There's a setting which will configure for RedHat:
--enable-layout=RedHat
This setting will configure the paths for executables, configuration files, libraries etc in one go.
The following should be a reasonable starting point for a configuration line:
sh ./configure --enable-layout=RedHat --enable-mods-shared=all
then perform a make and make install
Do the same with a newer version of PHP (5.3.29 is available in the "old downloads" section, but try a newer version. Check the changes first though) and your problems should be lessened. Finally, MySQL or MariaDB is available for download and compilation too
Obviously, try all of this on a test machine first and back everything up. Your test machine should be as close as possible to your production machine. If you use something like VirtualBox to try it, you can take a snapshot at each point of the process and rollback if something goes wrong
I use Centos 6.5, I've installed apache 2.2 on my server by yum, I want to upgrade my apache to 2.4, but yum not support that, so I download apache 2.4.7 and install it to opt/apache/httpd-2.4.7 follow the tutorial here: Apache 2.4.x Manual install on RHEL 6.4 - No apache modules will load on start . I want to change environment variables to new apache version to write apache 2.4 modules (change include folder for header file, change "modules" folder when build with apxs,...). I think I must install another httpd-devel for apache 2.4.7, because I still not install httpd-devel-2.4.7, but I don't know how to install and use it instead of httpd-devel-2.2 by yum. I can not describe my problems clearly in English, so I hope you can understand it. I'm a newbie and I really need your help. Thank you!
CentOS is image of RHEL, which stands for Red Hat Enterprise Linux. RHEL is designed to be an "Enterprise class" operating system, in which you rely on software packages that are delivered from controlled repositories where they are made available only after being thoroughly tested for Enterprise level use.
From that point of view, its generally not a good idea to install packages from source code, or using third party RPMs, because once you do, your OS is no longer "Enterprise" class.
If you're trying to upgrade for security reasons, you shouldn't. Critical security updates are always backported in previous RPM releases, so you only have to update your current package from the same yum repo from where you got it first. The binary will still say it is Apache 2.2, but it will have the latest security updates.
If you need an actual feature of 2.4, the smart move is to upgrade your CentOS. It may seem like the harder option initially, but it never is in the long run.
In my experience these reports can be fairly basic/binary:
Are you running the latest version of the software? If no flag as security risk.
However this fails to take into account package managers which back port fixes to older versions and so often have addressed potential security issues.
By moving away from the packaged version you are making security updates more difficult (as can't do a simple "yum update" to address them anymore).
Apache 2.2 is still maintained for security and bug fixes - though how long for remains to be seen and it is falling further and further behind in features.
So often you just need to explain (and prove!) you have a regular patching process and so the "version of Apache" you are reporting is not really accurate in terms of security patching.
See here for more details: https://serverfault.com/questions/731657/pci-compliance-apache-versions/
Saying all that we moved to Apache 2.4 on centos a while back for some extra features we wanted and just upgrade it to the latest version as part of regular patching cycle and are not finding it too inconvenient. Yes it's not quite as simple as "yum update" but it's a decision we've made because of some features we required. Not a decision to be taken lightly as Garreth states but it had the added side effect of this not getting highlighted anymore in these sorts of security scans :-)
We made this decision despite upgrading to a newer version of Red Hat as that was still on an older version of Apache (2.4.7 if memory serves me correctly) which still missed a few features we required. Sometimes it's frustrating how far behind some of these "enterprise" versions are, but that's the downside when there are plenty of upsides to using them too (stability, security... etc.).
Good Day!
We have problem with issue AMQ-2736(https://issues.apache.org/jira/browse/AMQ-2736) on remote sites and wants to upgrade to 5.5.0 version, wich resolved this problem. But network connection with remote sites not stable and we will have non-empty KahaDB at some of them. Does 5.5.0 vesrion works with database created by 5.4.2 version and we can simply upgrade software or we must empty all queues before upgrade?
I do not know this from first hand experience, but a colleague has successfully used ActiveMQ 5.5 against a KahaDB created from a previous version. If you really want to try it out, just take a file system copy of the entire dataDirectory from version 5.4.2, and point your 5.5 installation to that copy within your activemq.xml configuration.
I tried latest Fuse Message Broker maintenance release for ActiveMQ 5.4.2 - apache-activemq-5.4.2-fuse-02-00 - and it works good - all "trash" files are removed and we have not detected any message lost or corruption