Ubuntu
apache2 package

Is this version locked at 2.4.41 or are there plans to upgrade to a newer version eventually?

Asked by Meantime IT

Hi there,

(Sorry if this is asked plenty of times elsewhere but I've checked Stack and various forums and not had any luck.)

I'm aware that apache2 2.4.* has been a rocky ride recently but are there plans to update to a newer release of apache 2.4 or is it locked at 2.4.41 for the duration of 20.04's LTS release cycle?

I ask because 2.4.41 fails PCI scans by ASVs and the 'mitigation' for it right now is to mask the version on servers being scanned by the ASV. This is good practice for a production server but development servers are nice to run with the version available because the PCI scans are a nice alert system!

Regards,
connrs

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu apache2 Edit question
Assignee:
No assignee Edit question
Solved by:
actionparsnip
Solved:
Last query:
Last reply:
Revision history for this message
Meantime IT (meantimeit-tdsa) said : 		#1

I now feel a fool because as soon as I submitted this question I realised this is the place to look for answers on this.

Revision history for this message
Best actionparsnip (andrew-woodhead666) said : 		#2

The LTS releases are stable, meaning the version numbers rarely change. You can submit a security bug with the results of your penetration test which may get the version updated.

You can always use a PPA to get a newer version. I suggest you take a snapshot of the system (I'm assuming its a VM) so that you can roll back. It depends how comfortable your enterprise is with PPAs.

You can also compile the source yourself to upgrade the package. You should make a deb of your efforts so that updates don't overwrite your files.

Revision history for this message
Meantime IT (meantimeit-tdsa) said : 		#3

Thanks, you're quite right that I could take advantage of ~ondrej's hard work to get the very latest version.

However, we're very much in favour of Ubuntu Pro here at our enterprise and official package repos rather than PPAs and self-compilation is a line we very rarely cross.

For apache2, we'd definitely want to lean into the "LTS" and "Pro" for our Ubuntu Pro Focal servers. Especially for something like apache2.

Maintaining the same version number totally makes sense to me now. The real issue is that approved scanning vendors have a very naïve set of pen-test tools if version number is how they believe they detect exploits. The tools we run ourselves to "self-pen-test" our servers go into way more depth. However, this isn't the place for me to vent about this sort of thing.

Thanks actionparsnip.

Yours,
connrs

Revision history for this message
Meantime IT (meantimeit-tdsa) said : 		#4

Thanks actionparsnip, that solved my question.