Security – How to upgrade apache in Ubuntu 14.04 LTS

apache-2.4Securityubuntu-14.04

I'm running an Ubuntu server 14.04 LTS (Long Time Support), it comes with Apache/2.4.7.
However, Apache 2.4.10 is out, with some security fixes I'd like to have.

So how can I get these security fixes, and still benefit the LTS provided by Ubuntu ? Does a manual install (from sources) will conflict with the unattended upgrades I've setup ?

What's the best way to keep my server up to date regarding security and maintainable on the long term (avoiding manual compilations / packages conflicts) ?

Best Answer

Almost every major Linux distro backports security patches.

From that article you can see the following CVE numbers and issues.

Fixed in Apache httpd 2.4.10

important: mod_cgid denial of service CVE-2014-0231
important: WinNT MPM denial of service CVE-2014-3523
moderate: mod_proxy denial of service CVE-2014-0117
moderate: mod_deflate denial of service CVE-2014-0118
moderate: mod_status buffer overflow CVE-2014-0226

All you have to do is over on the Ubuntu Security page and you will see usn-2299-1 which addresses all of them (except the 2014-3523, because Linux is not winnt). So you need an Apache package version of at least 2.4.7-1ubuntu4.1. Which you should be able to get with a standard apt-get upgrade or apt-get dist-upgrade.

Does a manual install (from sources) will conflict with the unattended upgrades I've setup ?

Yes, very much, do not do that. If you are going to install software directly from source, make sure you completely remove the packaged version first, or badness will happen. Also, be certain that you will have ability and time to monitor all the appropriate vendor mail lists so you can maintain the packages yourself.

Best Answer

Related Solutions

Security Auditing on Ubuntu 14.04 LTS

Vps – Apache server hangs after a few hours, needs restart

Related Topic