Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

apache2 upgrade = mess

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
Bitmuncher
Posts: 17
Joined: 2016-03-08 17:00

apache2 upgrade = mess

#1 Post by Bitmuncher »

Hello,

So I am using debian stretch for my server.

apache2 -v shows Apache/2.4.25 (Debian)

Now I have done security tests on my webserver saying that there are critical vulnerabilities with my version and I should update to 2.4.29 however apt update does not find this version so I went to the apache page https://packages.debian.org/sid/mips64e ... 2/download and added http://ftp.de.debian.org/debian sid main to /etc/apt/sources.list

Now when I do that debian finds 346 packages to upgrade !
I did it anyway and my webserver began crashing php so I had to roll back to a previous backup.

So my questions are:
- why do the debian repository is stuck at 2.4.25 for apache2 ?
- why adding the repo finds 300 packages to upgrade ? are they all beta ?

please can someone shed some light; what should I do to only update to 2.4.29 from official debian channels ?

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: apache2 upgrade = mess

#2 Post by bw123 »

Bitmuncher wrote: So my questions are:
- why do the debian repository is stuck at 2.4.25 for apache2 ?
- why adding the repo finds 300 packages to upgrade ? are they all beta ?

please can someone shed some light; what should I do to only update to 2.4.29 from official debian channels ?
The repository is "stuck" because there hasn't been an updated version released by security team, and that's the only way a new ver can get into the current release.

https://wiki.debian.org/FAQsFromDebianU ... have_it.3F

You can find versions of packages in all releases by using packages.debian.org/PACKAGENAME and in that case you will find 2.4.29-2 is in testing now. Firefox-esr has a nifty search plugin to do this easily.

If you want to move the entire os to testing see this https://wiki.debian.org/DebianTesting
The FAQ above explains how it all works. Don't mix sid or testing with stable.
resigned by AI ChatGPT

Bitmuncher
Posts: 17
Joined: 2016-03-08 17:00

Re: apache2 upgrade = mess

#3 Post by Bitmuncher »

bw123 wrote:
Bitmuncher wrote: So my questions are:
- why do the debian repository is stuck at 2.4.25 for apache2 ?
- why adding the repo finds 300 packages to upgrade ? are they all beta ?

please can someone shed some light; what should I do to only update to 2.4.29 from official debian channels ?
The repository is "stuck" because there hasn't been an updated version released by security team, and that's the only way a new ver can get into the current release.

https://wiki.debian.org/FAQsFromDebianU ... have_it.3F

You can find versions of packages in all releases by using packages.debian.org/PACKAGENAME and in that case you will find 2.4.29-2 is in testing now. Firefox-esr has a nifty search plugin to do this easily.

If you want to move the entire os to testing see this https://wiki.debian.org/DebianTesting
The FAQ above explains how it all works. Don't mix sid or testing with stable.
Ok, thanks for the infos so if I understand well http://ftp.de.debian.org/debian is "in testing" versions ? Im kind of lost between all those repositories because it does not say anywhere that they are "test versions"

I should stay with my vulnerability if I want the most stable system ? As a web admin this gives me sweats. here are the "critical" reports I got:

Multiple vulnerabilities have been found in Apache:
* When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

* In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.

Multiple vulnerabilities have been found in Apache:
* When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

* In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.

Multiple vulnerabilities have been found in Apache:
* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

* A maliciously constructed HTTP/2 request could cause mod_http2 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process.

* The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.

* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.

Multiple vulnerabilities have been found in Apache:
* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

* A maliciously constructed HTTP/2 request could cause mod_http2 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process.

* The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.

* In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: apache2 upgrade = mess

#4 Post by dilberts_left_nut »

AdrianTM wrote:There's no hacker in my grandma...

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: apache2 upgrade = mess

#5 Post by bw123 »

Bitmuncher wrote: Ok, thanks for the infos so if I understand well http://ftp.de.debian.org/debian is "in testing" versions ? Im kind of lost between all those repositories because it does not say anywhere that they are "test versions"

I should stay with my vulnerability if I want the most stable system ? As a web admin this gives me sweats. here are the "critical" reports I got
Well those don't look like "security tests" it looks like a report based on version number. If you want to be web admin, you're going to have to understand this stuff, and how debian works.
resigned by AI ChatGPT

Bitmuncher
Posts: 17
Joined: 2016-03-08 17:00

Re: apache2 upgrade = mess

#6 Post by Bitmuncher »

bw123 wrote: Well those don't look like "security tests" it looks like a report based on version number. If you want to be web admin, you're going to have to understand this stuff, and how debian works.
yes having a hard time understanding the logic behind all repositories but I'll get there

Anyway the test was performed by a website specialised in security checkup; it was automated but even if based on version number the vulnerabilities are there.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: apache2 upgrade = mess

#7 Post by dilberts_left_nut »

Are they?
As per the changelog, and Debian policy, the versions in stable remain the same and security fixes are backported.
Your 'security check' is written by a windows user....for windows users...
AdrianTM wrote:There's no hacker in my grandma...

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: apache2 upgrade = mess

#8 Post by debiman »

Bitmuncher wrote:added http://ftp.de.debian.org/debian sid main to /etc/apt/sources.list
ok i think this got a little lost in the noise.
i hope you didn't actually run an upgrade yet. if you did, you're SOL.

remove that, and run 'apt update'.

and trust debian in choosing the right apache version for you.

Post Reply