Linux – PCI Compliance: install Apache 2.4.17 on Ubuntu 14.04.3

From a security perspective you don't want to be running Apache httpd 2.4.14 or even 2.4.17 at all, you just don't want to be vulnerable to any known Apache (or other) security vulnerabilities.

In general you already achieve that by regularly applying the security updates on your supported Ubuntu LTS release.

A security scan probably detected your Apache version string 2.4.7, did a quick lookup in a database with known vulnerabilities such as https://nvd.nist.gov/ and found a list similar to this one on cvedetails.com and found that CVE-2015-3185 is but the most recent vulnerability that applies to your Apache version.

Then comes the ignorant conclusion: to be "secure and compliant" one must follow that CVE blindly and you must upgrade to a release Apache httpd 2.4.14 or newer.

That does not take into account the common practice in the "Enterprise" Linux distributions to "backport" security updates. The reasons for backporting and the process is pretty well described on RedHat.com but is similar for Ubuntu. (Please read that whole article.) The short of it is that older version number does not equate to insecure at all.

CVE-2015-3185 has been acknowledged by Ubuntu as USN-2686-1 and has been addressed.

If you have not already, simply install the normal security updates and despite remaining on Apache version 2.4.7 you're not vulnerable to CVE-2015-3185 nor any of the previous CVE's.

I'm not intimately familiar with the PCI compliance certification process so how to translate the above to getting certified...

What might help is this answer (and even that whole Q&A is interesting despite being focused on RHEL): use the following Apache Directives and set ServerTokens to Prod and set the ServerSignature to Off in your httpd.conf.