How Do I Update Apache to 2.2.24 On AWS Instance

Question

I have a website hosted on an Amazon AMI Linux instance.

We had a PCI Scan recently and we failed the scan because we have Apache 2.2.23 installed, and apparently it contains vulnerabilities that have been since fixed on 2.2.24.

I did a sudo yum update but after checking the apache version using httpd -v it still reports 2.2.23. A yum info httpd also confirms that the repository version is 2.2.23

Is there any way to force yum to update to the latest version or to add a custom repository pointing to the latest apache release? I am a developer and I don't have a lot of experience hosting on linux, so I am a little bit stumped as to what to do.

Any tips will be appreciated, thanx!

Ha. Yeah, it really wasn't my choice to deploy in that platform. Our previous developers chose that Linux distribution. I will definitely also ask in the Amazon Developer forums and see what they say. — Zuriel Barron, Mar 18 '13 at 20:27
@MichaelHampton Amazon Linux is almost always the best choice for EC2 instances. It's a derivative of CentOS but the kernel is much newer and the distro has a rolling release schedule. — jamieb, Mar 20 '13 at 19:19
@jamieb We could argue about that all day long, though you've given one reason why _not_ to choose Amazon Linux. — Michael Hampton, Mar 20 '13 at 19:20

score 8 · Accepted Answer · answered Mar 20 '13 at 19:51

8

Take a step back. The PCI scanner is blindly relying on version numbers and isn't taking into account that the vendor (which is eventually Red Hat) backports patches. Find out the exact vulnerability (get the CVE) and then use rpm -q --changelog httpd (or go to http://cve.mitre.org/cve/cve.html and https://access.redhat.com/security/updates/ ) to see if the fix has been backported. It is annoying to do; thank your lazy PCI QSA for the work.

I strongly recommend against installing from source. It breaks package management and you now become responsible for keeping apache up to date which is more annoying than verifying the backporting of fixes.

answered Mar 20 '13 at 19:51

Mark Wagner

18,019
2
32
47

Thanx, thats good advice. Unfortunately there's nothing on the changelog of note. Latest entry: * Sun Oct 21 2012 Lee Trager - Update to 2.2.23 from upstream Apache – Zuriel Barron Mar 27 '13 at 17:00
httpd-2.2.24-1.29.amzn1 is the latest so you are doing something wrong. You can go to http://aws.amazon.com/amazon-linux-ami/security-bulletins/ to see what CVEs are fixed by the updates. – Mark Wagner Mar 27 '13 at 18:54
Oh yeah, it seems like it was just posted today for update. Thanx. I'll go give it a try. – Zuriel Barron Mar 27 '13 at 22:00
Just to clarify: Amazon Linux AMI is an independent distro maintained by Amazon and has nothing to do with Red Hat. Security updates are backported into existing package versions, but as noted, you need to check with Amazon to see what updates have been included, not Red Hat. Also, a PCI Scan that is looking at specific software package numbers is all but useless. – Garreth McDaid Apr 22 '14 at 13:35

score 0 · Answer 2 · answered Mar 20 '13 at 19:24

0

Why not just install Apache 2.4.3?

yum install httpd24

answered Mar 20 '13 at 19:24

jamieb

3,427
4
25
36

Apache to 2.4.3 has the same vulnerability and 2.4.4 fixes, but it its also not available on the update channel yet. – Zuriel Barron Mar 27 '13 at 16:58

How Do I Update Apache to 2.2.24 On AWS Instance

2 Answers2