The security team found a loophole in Apache version 2.4.23 so we need to upgrade Apache to version at least 2.4.56 or later. However, the developers told me it required a lot of code changes (around 60% of the entire codebase). Is this true?
Asked
Active
Viewed 53 times
0
-
2How can we know if it's true? – vidarlo Jun 01 '23 at 09:49
-
2A bit of an old answer of mine here https://serverfault.com/a/737872/37681 - and only tangentially related your question, which is very short in details so I might be barking up the wrong tree but: finding a specific version string does not equate to your system being vulnerable to every and all bugs published for that version, as long as you're running an supported (enterprise/LTS) distribution that backports security updates. – HBruijn Jun 01 '23 at 10:02
-
This (code change) look VERY unrealistic for me. I will be surprised if more than 10 lines of code need to be changed. Do the test, install on test machine new version and app and make QA to test the app. – Romeo Ninov Jun 01 '23 at 10:10
-
1If we are talking about PHP code, then, unless the PHP code is actually parsing or generating the Apache configs there should be ZERO impact. But as it stands the question is MUCH TOO vague to answer. voting to close. – symcbean Jun 01 '23 at 10:35
1 Answers
1
As long as Apache is installed via system packages and the system is not yet end of life security patches are backported by the package maintainers to older versions.
Check the changelog of the Apache package, chances are high that your Apache is already patched, as long as security updates are installed when they become available.
Gerald Schneider
- 23,274
- 8
- 57
- 89