Re: [Server-devel] Apache 2.4.6 on CentOS and 2.4.10 on Debian/Raspbian

[Peter Robinson]

On Fri, May 26, 2017 at 1:37 AM, Adam Holt  wrote:
> Just FYI...
>
> Apache 2.4.6 was released July ~19, 2013 (used by IIAB/XSCE 6.2 on CentOS).
>
> Apache 2.4.10 was released Jule ~19, 2014 (used by IIAB/XSCE 6.2 on
> Debian/Raspbian).
>
> Apache 2.4.25 was release Dec ~19, 2016...if anybody knows any particularly
> important risks above that Internet-in-a-Box may face, please let us know!

This should be completely ignored in regards to, Red Hat in RHEL, and
as a direct result. CentOS manages the patches/CVEs in the version of
apache shipped and the risks are dealt with by the security team.
Details for all CVEs can be seen at
https://access.redhat.com/security/security-updates/
___
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel

Re: [Server-devel] Apache 2.4.6 on CentOS and 2.4.10 on Debian/Raspbian

[James Cameron]

No, that's the wrong approach.

Version numbers cannot be compared, because both CentOS and Debian
have backported later changes.

Instead, look at the change log for 2.4.25 and every prior version
back to the version you have, for changes that are important to you,
especially changes with a CVE number or tagged SECURITY.

That gives you a list of changes you want to have.

Then, focus on the changes that are likely to impact server
operations, such as privelege escalation or denial of service.

Then, look at the change log for the CentOS and Debian packages,
looking for where they have backported the changes.  For Debian you'll
find this in /usr/share/doc/apache2/changelog.Debian.gz

It is a complex process, which is why most people delegate it to
CentOS and Debian security teams.

And to answer your question; the particularly important risks that
Internet-in-a-Box may face are all the SECURITY and CVE tagged changes
in the 2.4 series change log;

http://www.apache.org/dist/httpd/CHANGES_2.4

The most important one appears to be CVE-2016-8740 for a denial of
service vulnerability.

Risk is high if the server is accessed from the internet.

Risk is medium if the server is accessed by local public wireless.

Risk is low if the server is accessed by password protected wireless.

-- 
James Cameron
http://quozl.netrek.org/
___
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel

[Server-devel] Apache 2.4.6 on CentOS and 2.4.10 on Debian/Raspbian

[Adam Holt]

Just FYI...

Apache 2.4.6 was released July ~19, 2013 (used by IIAB/XSCE 6.2 on CentOS).

Apache 2.4.10 was released Jule ~19, 2014 (used by IIAB/XSCE 6.2 on
Debian/Raspbian).

Apache 2.4.25 was release Dec ~19, 2016...if anybody knows any particularly
important risks above that Internet-in-a-Box may face, please let us know!
___
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel