OpenSSL upgrade - CentOS 7 - apache

I have a CentOS 7 installation running httpd-2.4.35 and openssl-1.0.2k, but due to vulnerability findings, I need to update OpenSSL to at lease 1.0.2s, preferably u. Unfortunately, I cannot find RPM for these packages, which would make it a lot simpler.
I have tried to upgrade the using the tarball provided by OpenSSL but, although the installation works, httpd still uses Openssl-1.0.2k. It seems that I am not doing all the actions that the RPM installation is doing. Does anyone know if I can find this newer OpenSSL1.0.2 RPM packages somewhere or how to force httpd (installed via RPM) to use another version of OpenSSL?
Thanks!

If you are using OpenSSL 1.0.2k from the RPM package provided by CentOS 7, you are going to receive OpenSSL security updates via yum update until June 2024. Red Hat with RHEL 7, upstream of CentOS 7, is backporting security fixes. This means that there is no rebase to a new version such as 1.0.2s, but 1.0.2k will get a patch added resolving the security flaw. A recently active Red Hat community discussion is covering almost the same topic and referring to the same explanation.
Unfortunately you are not referring to a specific security flaw to provide a specific example. If you would like to know which RPM package fixes CVE-2020-1971, you can visit https://access.redhat.com/security/cve/cve-2020-1971 and figure out there, that errata RHSA-2020:5566 contains the fix, thus RPM package "openssl-1.0.2k-21.el7_9". And if you are e.g. on "openssl-1.0.2k-19.el7" (which can be figured out using e.g. rpm -q openssl), this indeed means you should apply updates using yum update.

Related

How to install mod_auth_openidc on RHEL 7

I've been to the Releases site for mod_auth_openidc and brought down the rpm. And attempting to install requires cjose but attempting to find and install that poses a problem as it seems to incorrectly test the version of jansson (e.g., 2.10 is though to be less than 2.3). Most of the documentation I find is years old. Trying to use yum brings in a very outdated version of the mod_auth_openidc (1.8.8) that fails to allow apache httpd to load if you have an OIDCDirectURL coded.
I'm trying to configure Apache HTTPD to call out to an OAUTH2 Server I've created but I can't get the old mod to work and I'd love to know where I can get the piece parts to allow the latest version to install. There are some old downloads on the Releases site if you page back to 2.0 but the libcjose0 is not an rpm.
Do I need to retrieve the dependencies from their github and build them? If someone has done this already and posted the assets I'm happy to retrieve them. I'm surprised RHEL 7 repos don't have the latest (or newer) versions of the mod_auth_openidc.
The version issue reported when trying to install cjose is a red herring. Based on this site I found I needed to install jansson-devel to get past the errant warning about versions.
Going here allowed me to retrieve a fairly recent version of cjose-0.5.1-1.el7.centos.x86_64.rpm which installed without complaints once jansson-devel was installed.
I was then able to install mod_auth_openidc-2.4.9-1.el7.x86_64.rpm from the github repo releases
I am now able to start apache httpd with the OIDCRedirectURI entry in httpd.conf

httpd won't upgrade on RHEL 7: "Package(s) httpd available, but not installed."

When I attempt to upgrade Apache...
cd /etc/yum.repos.d && wget https://repo.codeit.guru/codeit.el7.repo
yum install -y epel-release
yum upgrade httpd
...the output says "Package(s) httpd available, but not installed."
Actually, the above commands worked fine on my staging server, and I got the desired upgrade. But then when I tried the same steps on my production server, I see "Package(s) httpd available, but not installed."
Variations of this issue appear elsewhere on stackoverflow and other forums, but it appears the proper solution changes frequently, and it is difficult to rely on past answers that in many cases appear to reference defunct mirrors.
It's not clear where Apache was sourced from, but the recommended practice is to use Red Hat Software Collections for RHEL 7 (Application Streams for RHEL 8). See the list here. If your Apache was installed from Software Collections, then you'd want to update via that process.
Software Collections are part of the subscription and are fully supported by Red Hat.

Apache : How to upgrade apache 2.4.x version to latest 2.4.25

How to upgrade apache2.4.9 to latest stable version apache2.4.25?
Ubuntu 12.04 is a Long Term Support release. This means that the version of Apache included with it will continue to receive security updates into 2017. So while you might not have the most recent version installed, security patches are backported to your version. So you shouldn't necessarily be concerned that you don't have the latest.
When making upgrades to a major piece of software like Apache, you risk making your system unstable. One of the main reasons for using a distribution's package management system rather than installing the latest upstream software is that you get a set of packages that have been tested together. If you update one outside of the package management system, you may introduce incompatibilities. This can particularly be a problem if you rely on non-default Apache modules.
If you really need a more recent version of Apache, I'd suggest upgrading to Ubuntu 14.04. If you don't want to do that, you can still get a more recent version by enabling this PPA:
sudo add-apt-repository ppa:ondrej/apache2
sudo apt-get update
sudo apt-get dist-upgrade
Make sure you upgrade your configuration files as well, see [https://httpd.apache.org/docs/trunk/upgrading.html]

Using httpd 2.4 instead of 2.2 on centos 6

I use Centos 6.5, I've installed apache 2.2 on my server by yum, I want to upgrade my apache to 2.4, but yum not support that, so I download apache 2.4.7 and install it to opt/apache/httpd-2.4.7 follow the tutorial here: Apache 2.4.x Manual install on RHEL 6.4 - No apache modules will load on start . I want to change environment variables to new apache version to write apache 2.4 modules (change include folder for header file, change "modules" folder when build with apxs,...). I think I must install another httpd-devel for apache 2.4.7, because I still not install httpd-devel-2.4.7, but I don't know how to install and use it instead of httpd-devel-2.2 by yum. I can not describe my problems clearly in English, so I hope you can understand it. I'm a newbie and I really need your help. Thank you!
CentOS is image of RHEL, which stands for Red Hat Enterprise Linux. RHEL is designed to be an "Enterprise class" operating system, in which you rely on software packages that are delivered from controlled repositories where they are made available only after being thoroughly tested for Enterprise level use.
From that point of view, its generally not a good idea to install packages from source code, or using third party RPMs, because once you do, your OS is no longer "Enterprise" class.
If you're trying to upgrade for security reasons, you shouldn't. Critical security updates are always backported in previous RPM releases, so you only have to update your current package from the same yum repo from where you got it first. The binary will still say it is Apache 2.2, but it will have the latest security updates.
If you need an actual feature of 2.4, the smart move is to upgrade your CentOS. It may seem like the harder option initially, but it never is in the long run.
In my experience these reports can be fairly basic/binary:
Are you running the latest version of the software? If no flag as security risk.
However this fails to take into account package managers which back port fixes to older versions and so often have addressed potential security issues.
By moving away from the packaged version you are making security updates more difficult (as can't do a simple "yum update" to address them anymore).
Apache 2.2 is still maintained for security and bug fixes - though how long for remains to be seen and it is falling further and further behind in features.
So often you just need to explain (and prove!) you have a regular patching process and so the "version of Apache" you are reporting is not really accurate in terms of security patching.
See here for more details: https://serverfault.com/questions/731657/pci-compliance-apache-versions/
Saying all that we moved to Apache 2.4 on centos a while back for some extra features we wanted and just upgrade it to the latest version as part of regular patching cycle and are not finding it too inconvenient. Yes it's not quite as simple as "yum update" but it's a decision we've made because of some features we required. Not a decision to be taken lightly as Garreth states but it had the added side effect of this not getting highlighted anymore in these sorts of security scans :-)
We made this decision despite upgrading to a newer version of Red Hat as that was still on an older version of Apache (2.4.7 if memory serves me correctly) which still missed a few features we required. Sometimes it's frustrating how far behind some of these "enterprise" versions are, but that's the downside when there are plenty of upsides to using them too (stability, security... etc.).

OpenSSL 1.0.x possible in Ubuntu 11.04?

Is there a way to get an OpenSSL 1.0.x package in Ubuntu 11.04, without building from source ?
apt-get update/upgrade only brings one to 0.9.8g
There's no officially supported way to get it in natty. You might be able to find someone somewhere who's packaged it up, but if you want to use trusted sources you're not going to find it on a version lower than 11.10, and if you want the latest version of openssl you're going to want to go to 12.04