Re: [CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-13 Thread Johnny Hughes 
On 09/13/2017 08:10 AM, Alan McKay wrote:
>> I don't have any official knowledge, but I would suspect that they will
>> maintain httpd-2.2 throughout the lifetime of RHEL6.  Security issues
>> would be backported.  (If older versions of RHEL are any indication)
> 
> The basic problem is though that there won't be any security fixes for 2.2
> How can they back port something that does not exist?
> 
> Or do you mean you think they'll try to port a fix in 2.4 back to 2.2?
> Not even sure that will be possible.
> 
> Is there some way to get an official statement from RHEL on this?
> Like if I bought a licensed copy of RHEL and used it to open a support
> case or something like that?

Red Hat will provide security updates to whatever solution that they
have in RHEL-6 until end of life .. that is what they do and why their
Enterprise Linux has subscription costs .. see:

https://access.redhat.com/security/updates/backporting

The CentOS Project, on the other hand, does not make any security claims
of any kind for CentOS Linux at all.  We rebuild whatever source code
Red Hat releases for RHEL and the user must make sure it meets any
security requirements they have.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-13 Thread Alan McKay 
So looks like the definitive answer is here for those who have access

https://access.redhat.com/solutions/2595461

What I don't understand is in the top left it says "solution
unverified" and I"m not sure what that means.

Basic summary is that RH will continue to support apache 2.2 to the
end of life of RHEL6
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-13 Thread James Hogarth 
On 13 September 2017 at 14:10, Alan McKay  wrote:

> > I don't have any official knowledge, but I would suspect that they will
> > maintain httpd-2.2 throughout the lifetime of RHEL6.  Security issues
> > would be backported.  (If older versions of RHEL are any indication)
>
> The basic problem is though that there won't be any security fixes for 2.2
> How can they back port something that does not exist?
>
> Or do you mean you think they'll try to port a fix in 2.4 back to 2.2?
> Not even sure that will be possible.
>
> Is there some way to get an official statement from RHEL on this?
> Like if I bought a licensed copy of RHEL and used it to open a support
> case or something like that?
>


Yes they have engineers who, when a CVE is discovered, will analyse if it
applies to the httpd shipped in RHEL and if there is an issue will write
their own patch (if there is no longer an upstream to directly backport
from).

So long as you use the httpd shipped in RHEL/CentOS you will be protected
against all known CVEs that get discovered - of course ensuring that
mitigating factors such as selinux being enforce also assists with
protection from many/most vulnerabilities in something like httpd.

You will want to read up on:

https://access.redhat.com/support/policy/updates/errata/

and possibly:

https://access.redhat.com/articles/rhel-top-support-policies

and certainly:

https://access.redhat.com/security/updates/backporting

So yes if there is a security issue found in the httpd 2.2 shipped with EL6
after December of this year RHEL engineers will develop a patch to
mitigate/fix it and include it in their build of httpd they ship.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-13 Thread Alan McKay 
> I don't have any official knowledge, but I would suspect that they will
> maintain httpd-2.2 throughout the lifetime of RHEL6.  Security issues
> would be backported.  (If older versions of RHEL are any indication)

The basic problem is though that there won't be any security fixes for 2.2
How can they back port something that does not exist?

Or do you mean you think they'll try to port a fix in 2.4 back to 2.2?
Not even sure that will be possible.

Is there some way to get an official statement from RHEL on this?
Like if I bought a licensed copy of RHEL and used it to open a support
case or something like that?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-13 Thread Leon Fauster 
> Am 13.09.2017 um 01:04 schrieb Johnny Hughes :
> 
> On 09/12/2017 02:58 PM, Stephen John Smoogen wrote:
>> On 12 September 2017 at 15:29, Alan McKay  wrote:
>>> Hi folks,
>>> 
>>> I have been googling for a few weeks now and not finding anything.
>>> Apache 2.2 is EOL at the end of this year.
>>> 
>>> Has Red Hat announced a plan yet on what they are doing in RHEL6?
>>> 
>>> I am assuming they will up-version from 6.9 to 6.10 and as part of
>>> that upgrade from Apache 2.2 to Apache 2.4 ?
>>> 
>>> thanks,
>>> -Alan
>>> 
>> 
>> RHEL 6 is in Production Stage 3 where only security fixes will be done
>> to packages. In the past that has meant that no upgrades etc are done
>> in the final Prod 3 releases and backports of high level security
>> fixes are done. So I don't expect any sort of upgrade.
>> 
> 
> I don't have any official knowledge, but I would suspect that they will
> maintain httpd-2.2 throughout the lifetime of RHEL6.  Security issues
> would be backported.  (If older versions of RHEL are any indication)
> 


BTW - SCLo SIG provides additionally httpd24, at least until May 2019 ...

--
LF

 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-12 Thread Johnny Hughes 
On 09/12/2017 02:58 PM, Stephen John Smoogen wrote:
> On 12 September 2017 at 15:29, Alan McKay  wrote:
>> Hi folks,
>>
>> I have been googling for a few weeks now and not finding anything.
>> Apache 2.2 is EOL at the end of this year.
>>
>> Has Red Hat announced a plan yet on what they are doing in RHEL6?
>>
>> I am assuming they will up-version from 6.9 to 6.10 and as part of
>> that upgrade from Apache 2.2 to Apache 2.4 ?
>>
>> thanks,
>> -Alan
>>
> 
> RHEL 6 is in Production Stage 3 where only security fixes will be done
> to packages. In the past that has meant that no upgrades etc are done
> in the final Prod 3 releases and backports of high level security
> fixes are done. So I don't expect any sort of upgrade.
> 

I don't have any official knowledge, but I would suspect that they will
maintain httpd-2.2 throughout the lifetime of RHEL6.  Security issues
would be backported.  (If older versions of RHEL are any indication)



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-12 Thread Rainer Duffner 

> Am 12.09.2017 um 21:34 schrieb Warren Young :
> 
> I’d assume they’re just going to make their own fixes,


I would be really surprised if they wouldn’t be among the main contributors 
already (if not the main contributor) - or at least have staff that are very 
familiar with the source.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-12 Thread Stephen John Smoogen 
On 12 September 2017 at 15:29, Alan McKay  wrote:
> Hi folks,
>
> I have been googling for a few weeks now and not finding anything.
> Apache 2.2 is EOL at the end of this year.
>
> Has Red Hat announced a plan yet on what they are doing in RHEL6?
>
> I am assuming they will up-version from 6.9 to 6.10 and as part of
> that upgrade from Apache 2.2 to Apache 2.4 ?
>
> thanks,
> -Alan
>

RHEL 6 is in Production Stage 3 where only security fixes will be done
to packages. In the past that has meant that no upgrades etc are done
in the final Prod 3 releases and backports of high level security
fixes are done. So I don't expect any sort of upgrade.

-- 
Stephen J Smoogen.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-12 Thread Warren Young 
On Sep 12, 2017, at 1:29 PM, Alan McKay  wrote:
> 
> I have been googling for a few weeks now and not finding anything.
> Apache 2.2 is EOL at the end of this year.
> 
> Has Red Hat announced a plan yet on what they are doing in RHEL6?
> 
> I am assuming they will up-version from 6.9 to 6.10 and as part of
> that upgrade from Apache 2.2 to Apache 2.4 ?

I’d assume they’re just going to make their own fixes, since 2.4 is not a 
compatible upgrade for many apps, e.g. anything relying on mod_perl.

We ended up needing to do a major rework of our mod_perl based application to 
make it run on CentOS 7 as a result.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?

2017-09-12 Thread Alan McKay 
Hi folks,

I have been googling for a few weeks now and not finding anything.
Apache 2.2 is EOL at the end of this year.

Has Red Hat announced a plan yet on what they are doing in RHEL6?

I am assuming they will up-version from 6.9 to 6.10 and as part of
that upgrade from Apache 2.2 to Apache 2.4 ?

thanks,
-Alan

-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos