Upgrade to Apache2

Asked by Amol on 2013-09-30

How can i upgrade to Apache2 2.4 using lucid or precise apache repositories ?

The most i can go to is Apache2.2.22 but it is failing PCI compliance due to vulnerabilities like
1) XSS vulnerability via hostname
2) Server mod_rewrite Terminal escape sequence

etc..

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu apache2 Edit question
Assignee:
No assignee Edit question
Last query:
2013-10-02
Last reply:
2013-10-03

What is the output of:

lsb_release -a; uname -a

Thanks

Amol (ajkedar) said : #2

$ lsb_release -a
LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch
Distributor ID: Ubuntu
Description: Ubuntu 10.04.1 LTS
Release: 10.04
Codename: lucid

$ uname -a
Linux load3-app 2.6.32-31-server #61-Ubuntu SMP Fri Apr 8 19:44:42 UTC 2011 x86_64 GNU/Linux

$ apache2 -V
Server version: Apache/2.2.22 (Ubuntu)
Server built: Feb 13 2012 01:51:50
Server's Module Magic Number: 20051115:30
Server loaded: APR 1.4.5, APR-Util 1.3.9
Compiled using: APR 1.4.5, APR-Util 1.3.12
Architecture: 64-bit
Server MPM: Prefork
  threaded: no
    forked: yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"

$ more /etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu/ lucid main restricted universe
deb-src http://archive.ubuntu.com/ubuntu/ lucid main restricted universe

deb http://archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe
deb-src http://archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe

deb http://security.ubuntu.com/ubuntu lucid-security main restricted universe
deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted universe

deb http://us.archive.ubuntu.com/ubuntu/ precise main
deb-src http://us.archive.ubuntu.com/ubuntu/ precise main

On Sep 30, 2013, at 3:51 PM, actionparsnip <email address hidden> wrote:

> Your question #236632 on apache2 in Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+source/apache2/+question/236632
>
> Status: Open => Needs information
>
> actionparsnip requested more information:
> What is the output of:
>
> lsb_release -a; uname -a
>
> Thanks
>
> --
> To answer this request for more information, you can either reply to
> this email or enter your reply at the following page:
> https://answers.launchpad.net/ubuntu/+source/apache2/+question/236632
>
> You received this question notification because you asked the question.

https://launchpad.net/ubuntu/+ppas?name_filter=apache2

Has all the PPAs with Apache2 you can click through to see if Lucid is supported in the dropdown then add the PPA giving what you desire.

Amol (ajkedar) said : #4

Yes i see a lot of options there but how reliable are these PPA's ?
can i run a source code in production using the package updates?
why doesn't ubuntu main repository have the new apache version?

On Sep 30, 2013, at 5:16 PM, actionparsnip <email address hidden> wrote:

> Your question #236632 on apache2 in Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+source/apache2/+question/236632
>
> Status: Open => Answered
>
> actionparsnip proposed the following answer:
> https://launchpad.net/ubuntu/+ppas?name_filter=apache2
>
> Has all the PPAs with Apache2 you can click through to see if Lucid is
> supported in the dropdown then add the PPA giving what you desire.
>
> --
> If this answers your question, please go to the following page to let us
> know that it is solved:
> https://answers.launchpad.net/ubuntu/+source/apache2/+question/236632/+confirm?answer_id=2
>
> If you still need help, you can reply to this email or go to the
> following page to enter your feedback:
> https://answers.launchpad.net/ubuntu/+source/apache2/+question/236632
>
> You received this question notification because you asked the question.

Unless there is a significant reason to update a package it will remain on the same version. Ubuntu and especially the LTS releases stick to this in order to maximise stability. If you report a bug stating that there are huge reasons to push the update then it will be updated sooner rather than later. Just because a new version is out does not automatically get the package updated. Ubuntu is not a rolling release distribution like that

Amol (ajkedar) said : #6

but wouldn't people running ubuntu lucid be running into same problems when running a PCI compliance checks?

another thing is i check this website (http://www.ubuntuupdates.org/package/core/precise/main/updates/apache2) for ubuntu updates
and it says latest release for apache2 is

Version: 2.2.22-1ubuntu1.4 2013-07-15 14:06:43 UTC

but when i run apache upgrade on my server it says package upto date, but the version is

|/ Name Version Description
+++-=======================-======================================================
ii apache2 2.2.22-1ubuntu1 Apache HTTP Server metapackage

Amol (ajkedar) said : #7

i found answer to my question on package version difference, i wasn't including the precise-security repos in the /etc/apt/sources.list file

Manfred Hampl (m-hampl) said : #8

You should never include a repository for a different Ubuntu release in your sources.list.
According to your output, you are running lucid, so you should have only lucid (and lucid-updates and lucid-security) in your sources.list. Having also prcise and precise-security in that config file will very likely create problems with dependency conflicts.
A hybrid lucid/precise system as you apparently have is not supported in any way.
You might consider a complete upgrade to precise if you need package versions that are not available in lucid.

Can you help with this problem?

Provide an answer of your own, or ask Amol for more information if necessary.

To post a message you must log in.