1

We have following server details and we need to upgrade apache 2.4.6 to apache 2.4.12

OS: CentOS 6
Apache : 2.4.6
PHP : 5.5

I know how to install 2.4.12 from scratch but i just want to upgrade current apache to 2.4.12 because i don't want to loss php settings and other settings of current apache.

GBD
  • 131
  • 2
  • 8
  • Why do you think you need to do this? – Michael Hampton Apr 15 '15 at 06:05
  • @MichaelHampton We have gone through PCI Scan and They have suggested to use apache 2.4.10 or 2.4.12 to prevent Multiple Vulnerabilities – GBD Apr 15 '15 at 06:08
  • 2
    No, you don't need to do that. You need to show them that you have updated to patch those vulnerabilities. These updates are provided by CentOS already, though the version number remains 2.4.6. See, among others, http://serverfault.com/a/438312/126632 – Michael Hampton Apr 15 '15 at 06:10
  • @MichaelHampton Is there any way we can send them such report that centos has already implemented such patches but version number is same ? – GBD Apr 15 '15 at 06:14
  • `rpm -q --changelog httpd | less` will show the CVE's that have been patched. You can then match them up to the CVE's mentioned in the PCI audit. – Michael Hampton Apr 15 '15 at 06:16
  • @MichaelHampton Thanks for this command. as per this command result, (CVE-2014-3523) and (CVE-2014-0117) are not yet patched. Can we patched by our own ? – GBD Apr 15 '15 at 06:24
  • Really? They should be. A better way would be to look them up in the Red Hat CVE database shown in the other answer, as that's the info you'll have to give the auditors anyway. When I looked them up I found one was for Windows only, and the other had already been patched last July. – Michael Hampton Apr 15 '15 at 06:25
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/22862/discussion-between-gbd-and-michael-hampton). – GBD Apr 15 '15 at 06:46
  • @MichaelHampton Thanks for support. Much useful information you gave. We will represent our case this way now. – GBD Apr 15 '15 at 06:47
  • @MichaelHampton we use CentOS release 6.6 (Final) and change log doesn't show CVE-2014-0117 updated. Any reason ? – GBD Apr 15 '15 at 07:37
  • @GBD shows up for me. You need to do that for the package `httpd24-httpd` (assuming you are using Apache from CentOS SCL repos). – faker Apr 15 '15 at 08:57
  • @faker we checked with httpd24-httpd too. that is also not patched. Can you give your `yum` repo for same ? – GBD Apr 15 '15 at 10:02
  • @GBD the default one you get from installing `centos-release-SCL`. `httpd24-httpd` has version 2.4.6-22.el6 – faker Apr 15 '15 at 13:05

1 Answers1

0

If you simply upgrade using rpm -U, the binaries will be upgraded, but the configuration files will remain the same. See https://stackoverflow.com/questions/14511334/rpm-upgrade-handling-of-config-files

Community
  • 1
Otheus
  • 432
  • 3
  • 12