apache2 upgrade = mess

New to Debian (Or Linux in general)? Ask your questions here!

apache2 upgrade = mess

Postby Bitmuncher » 2018-02-21 16:02

Hello,

So I am using debian stretch for my server.

apache2 -v shows Apache/2.4.25 (Debian)

Now I have done security tests on my webserver saying that there are critical vulnerabilities with my version and I should update to 2.4.29 however apt update does not find this version so I went to the apache page https://packages.debian.org/sid/mips64el/apache2/download and added http://ftp.de.debian.org/debian sid main to /etc/apt/sources.list

Now when I do that debian finds 346 packages to upgrade !
I did it anyway and my webserver began crashing php so I had to roll back to a previous backup.

So my questions are:
- why do the debian repository is stuck at 2.4.25 for apache2 ?
- why adding the repo finds 300 packages to upgrade ? are they all beta ?

please can someone shed some light; what should I do to only update to 2.4.29 from official debian channels ?
Bitmuncher
 
Posts: 17
Joined: 2016-03-08 17:00

Re: apache2 upgrade = mess

Postby bw123 » 2018-02-21 17:01

Bitmuncher wrote:So my questions are:
- why do the debian repository is stuck at 2.4.25 for apache2 ?
- why adding the repo finds 300 packages to upgrade ? are they all beta ?

please can someone shed some light; what should I do to only update to 2.4.29 from official debian channels ?


The repository is "stuck" because there hasn't been an updated version released by security team, and that's the only way a new ver can get into the current release.

https://wiki.debian.org/FAQsFromDebianU ... have_it.3F

You can find versions of packages in all releases by using packages.debian.org/PACKAGENAME and in that case you will find 2.4.29-2 is in testing now. Firefox-esr has a nifty search plugin to do this easily.

If you want to move the entire os to testing see this https://wiki.debian.org/DebianTesting
The FAQ above explains how it all works. Don't mix sid or testing with stable.
User avatar
bw123
 
Posts: 3258
Joined: 2011-05-09 06:02
Location: TN_USA

Re: apache2 upgrade = mess

Postby Bitmuncher » 2018-02-21 17:24

bw123 wrote:
Bitmuncher wrote:So my questions are:
- why do the debian repository is stuck at 2.4.25 for apache2 ?
- why adding the repo finds 300 packages to upgrade ? are they all beta ?

please can someone shed some light; what should I do to only update to 2.4.29 from official debian channels ?


The repository is "stuck" because there hasn't been an updated version released by security team, and that's the only way a new ver can get into the current release.

https://wiki.debian.org/FAQsFromDebianU ... have_it.3F

You can find versions of packages in all releases by using packages.debian.org/PACKAGENAME and in that case you will find 2.4.29-2 is in testing now. Firefox-esr has a nifty search plugin to do this easily.

If you want to move the entire os to testing see this https://wiki.debian.org/DebianTesting
The FAQ above explains how it all works. Don't mix sid or testing with stable.


Ok, thanks for the infos so if I understand well http://ftp.de.debian.org/debian is "in testing" versions ? Im kind of lost between all those repositories because it does not say anywhere that they are "test versions"

I should stay with my vulnerability if I want the most stable system ? As a web admin this gives me sweats. here are the "critical" reports I got:

Multiple vulnerabilities have been found in Apache:
* When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

* In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.

Multiple vulnerabilities have been found in Apache:
* When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

* In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.

Multiple vulnerabilities have been found in Apache:
* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

* A maliciously constructed HTTP/2 request could cause mod_http2 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process.

* The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.

* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.

Multiple vulnerabilities have been found in Apache:
* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

* A maliciously constructed HTTP/2 request could cause mod_http2 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process.

* The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.

* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
Bitmuncher
 
Posts: 17
Joined: 2016-03-08 17:00

Re: apache2 upgrade = mess

Postby dilberts_left_nut » 2018-02-21 17:38

AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4866
Joined: 2009-10-05 07:54
Location: enzed

Re: apache2 upgrade = mess

Postby bw123 » 2018-02-21 17:48

Bitmuncher wrote:Ok, thanks for the infos so if I understand well http://ftp.de.debian.org/debian is "in testing" versions ? Im kind of lost between all those repositories because it does not say anywhere that they are "test versions"

I should stay with my vulnerability if I want the most stable system ? As a web admin this gives me sweats. here are the "critical" reports I got


Well those don't look like "security tests" it looks like a report based on version number. If you want to be web admin, you're going to have to understand this stuff, and how debian works.
User avatar
bw123
 
Posts: 3258
Joined: 2011-05-09 06:02
Location: TN_USA

Re: apache2 upgrade = mess

Postby Bitmuncher » 2018-02-21 19:29

bw123 wrote:Well those don't look like "security tests" it looks like a report based on version number. If you want to be web admin, you're going to have to understand this stuff, and how debian works.


yes having a hard time understanding the logic behind all repositories but I'll get there

Anyway the test was performed by a website specialised in security checkup; it was automated but even if based on version number the vulnerabilities are there.
Bitmuncher
 
Posts: 17
Joined: 2016-03-08 17:00

Re: apache2 upgrade = mess

Postby dilberts_left_nut » 2018-02-22 01:35

Are they?
As per the changelog, and Debian policy, the versions in stable remain the same and security fixes are backported.
Your 'security check' is written by a windows user....for windows users...
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4866
Joined: 2009-10-05 07:54
Location: enzed

Re: apache2 upgrade = mess

Postby debiman » 2018-02-22 16:16

Bitmuncher wrote:added http://ftp.de.debian.org/debian sid main to /etc/apt/sources.list

ok i think this got a little lost in the noise.
i hope you didn't actually run an upgrade yet. if you did, you're SOL.

remove that, and run 'apt update'.

and trust debian in choosing the right apache version for you.
User avatar
debiman
 
Posts: 2790
Joined: 2013-03-12 07:18


Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable