Ubuntu

Can't find apache2.4.25

Asked by Konstantin

We have Ubuntu 16.04.2 Server. Our security technical department found some issues which are related to old version of packages.
I'm talking about the following software - OpenSSH and Apache Web Server.
The experts of that department strongly recommended us to upgrade our software on Ubuntu server.
Unfortunately, we don't manage to do that, because of your repositories haven't got the needed packages - I meant OpenSSH 7.5 and Apache Web Server 2.4.25.

It a bit confused us because the latest version of Ubuntu (17.04) already contains them.

We want to know what time we can get the official mentioned packages for Ubuntu 16.04.x

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

You misunderstand the Ubuntu release policy. Ubuntu is no rolling release.

When Ubuntu xenial was published, apache2 was provided with version 2.4.18 (2.4.18-2ubuntu3), and it is planned to stay like this. Meanwhile there was an update to 2.4.18-2ubuntu3.1 for CVE-2016-5387. Further "dot release" upgrades may follow for other bugs.
A version upgrade (e.g. to 2.4.25) is not planned, but can be done in exceptional cases, e.g. for severe bugs.

You can create a bug report and request a version upgrade (or a backport of the newer version from zesty to xenial), but the improvements or error corrections must be important enough to justify such action.

Remark: Currently there are four open CVEs listed for apache2 in xenial, see https://people.canonical.com/~ubuntu-security/cve/pkg/apache2.html

Revision history for this message
Konstantin (oceanbyts) said : 		#2

Hello,

Thanks for your full explanation answer. We really had different point on Ubuntu updates.

I want to add my first post by next comments.

Firstly, our experts were also saying about the following issue as CVE-2016-4979 and CVE-2016-1546
Have they been closed by 2.4.18-2ubuntu3.1 update?

Secondly, where can we see which issues were closed in the current release of the needed package? For example, as you know, I have the request to solve problems with OpenSSH. Where can we find out the information about applied patches and closed issues?

Revision history for this message
Konstantin (oceanbyts) said : 		#3

And one more question.
When will issue mentioned by you be solve? From that list https://people.canonical.com/~ubuntu-security/cve/pkg/apache2.html for Xenial

Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#4

1. With respect to the two CVEs mentioned see
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4979.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1546.html
they seem not to be relevant for apache2 in Ubuntu (because mod_http2 is not enabled).

2. For a listing of bugs and vulnerabilities corrected in a release please see the change log
https://launchpad.net/ubuntu/+source/apache2/+changelog

3. Only the developers can give an answer on the time schedule for bug fixes. I do not have any knowledge about their planning and capacity.

Remark, for openssh the related links are
https://launchpad.net/ubuntu/+source/openssh/+changelog
https://people.canonical.com/~ubuntu-security/cve/pkg/openssh.html

Revision history for this message
Konstantin (oceanbyts) said : 		#5

Thanks for your answer about CVEs.

` Only the developers can give an answer on the time schedule for bug fixes. I do not have any knowledge about their planning and capacity.`
How can I message to the developer then?

Revision history for this message
Konstantin (oceanbyts) said : 		#6

Thanks Manfred Hampl, that solved my question.