How do I apply a security update to apache
Try this
sudo -i
gedit /etc/apt/sources.list
add the line
deb http://us.archive.ubuntu.com/ubuntu/ precise main
Save and exit, then do
sudo apt-get update
sudo apt-get install apache2
apache2 -v
Then edit /etc/apt/sources.list again, and comment out or delete the following line completely
#deb http://us.archive.ubuntu.com/ubuntu/ precise main
sudo apt-get update
Related videos on Youtube
SwiftD
Updated on September 18, 2022Comments
-
SwiftD over 1 year
I have been running some penetration tests against our webserver and it's come up with a few issues. One of them is that apache needs a security update (http://www.ubuntu.com/usn/usn-1765-1/).
I am running ubuntu 12.04 LTS and the instructions on that page suggest that running
apt-get update
followed by
apt-get upgrade
will solve the issue, unfortunately I am told there are no packages to update. I tried downloading the tarball from the link but now that I've unzipped I'm not really sure what to do with it.
Searching google seems to bombard with instruction on how to install apache but if anyone knows of a guide that would be great. Any advice greatly appreciated.
Output of apt-cache policy apache2:
apache2: Installed: 2.2.22-1ubuntu1.4 Candidate: 2.2.22-1ubuntu1.4 Version table: *** 2.2.22-1ubuntu1.4 0 500 http://mirror.rackspace.com/ubuntu/ precise-updates/main amd64 Packages 500 http://mirror.rackspace.com/ubuntu/ precise-security/main amd64 Packages 100 /var/lib/dpkg/status 2.2.22-1ubuntu1 0 500 http://mirror.rackspace.com/ubuntu/ precise/main amd64 Packages
Output of dpkg -l apache*
Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ un apache <none> (no description available) un apache-common <none> (no description available) un apache-utils <none> (no description available) ii apache2 2.2.22-1ubuntu Apache HTTP Server metapackage un apache2-common <none> (no description available) un apache2-doc <none> (no description available) un apache2-mpm <none> (no description available) un apache2-mpm-ev <none> (no description available) un apache2-mpm-it <none> (no description available) ii apache2-mpm-pr 2.2.22-1ubuntu Apache HTTP Server - traditional non-threade un apache2-mpm-wo <none> (no description available) un apache2-suexec <none> (no description available) un apache2-suexec <none> (no description available) ii apache2-utils 2.2.22-1ubuntu utility programs for webservers ii apache2.2-bin 2.2.22-1ubuntu Apache HTTP Server common binary files ii apache2.2-comm 2.2.22-1ubuntu Apache HTTP Server common files
Penetration test reporting the issue:
Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day QID: 86847 Category: Web server CVE ID: - Vendor Reference - Bugtraq ID: - Service Modified: 05/30/2013 User Modified: - Edited: No PCI Vuln: No THREAT: The Apache HTTP Server, commonly referred to as Apache is a freely available Web server. Apache is vulnerable to a denial of service due to holding a connection open for partial HTTP requests. Apache Versions 1.x and 2.x are vulnerable. IMPACT: A remote attacker can cause a denial of service against the Web server which would prevent legitimate users from accessing the site. Denial of service tools and scripts such as Slowloris takes advantage of this vulnerability. SOLUTION: Patch - There are no vendor-supplied patches available at this time. Workaround: - Reverse proxies, load balancers and iptables can help to prevent this attack from occurring. - Adjusting the TimeOut Directive can also prevent this attack from occurring. - A new module mod_reqtimeout has been introduced since Apache 2.2.15 to provide tools for mitigation against these forms of attack. Also refer to Cert Blog and Slowloris and Mitigations for Apache document for further information. COMPLIANCE: Not Applicable EXPLOITABILITY: There is no exploitability information for this vulnerability. ASSOCIATED MALWARE: There is no malware information for this vulnerability. RESULTS: QID: 86847 detected on port 80 over TCP - Apache/2.2.22 (Ubuntu) 3 Apache HTTP Server Prior to 2.2.23 Multiple Vulnerabilities QID: 87133 Category: Web server CVE ID: CVE-2012-2687 CVE-2012-0883 Vendor Reference Apache Bugtraq ID: 53046, 55131 Service Modified: 01/02/2013 User Modified: - Edited: No PCI Vuln: Yes THREAT: Apache HTTP Server is an HTTP web server application. Apache server prior to version 2.2.23 is affected by multiple issues: Insecure LD_LIBRARY_PATH handling Cross-site scripting in mod_negotiation when untrusted uploads are supported Affected Versions: Apache HTTP Server prior to version 2.2.23 IMPACT: Successful exploitation may lead to execution of arbitrary code on the system within the context of the affected applications. SOLUTION: These vulnerabilities have been patched in Apache 2.2.23. Refer to Apache httpd 2.2 Security Vulnerabilities. Patch: Following are links for downloading patches to fix the vulnerabilities: Apache 2.2.23 (Apache HTTP Server) COMPLIANCE: Not Applicable EXPLOITABILITY: There is no exploitability information for this vulnerability. ASSOCIATED MALWARE: There is no malware information for this vulnerability. RESULTS: QID 87133 detected on port 80 - Apache/2.2.22 (Ubuntu) 3 Apache Prior to 2.4.4 and 2.2.24 Multiple Vulnerabilities port 80/tcp QID: 87156 Category: Web server CVE ID: CVE-2012-3499 CVE-2012-4558 Vendor Reference Apache httpd 2.2 Vulnerabilities, Apache httpd 2.4 Vulnerabilities Bugtraq ID: 58165 Service Modified: 05/22/2013 User Modified: - Edited: No PCI Vuln: Yes THREAT: Apache HTTP Server is an HTTP web server application. Apache HTTP Server is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. - Various XSS flaws exist due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. - A XSS flaw affects the mod_proxy_balancer manager interface. Affected Versions: Apache HTTP Server prior to 2.4.4 Apache HTTP Server prior to 2.2.24 IMPACT: An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker launch additional attacks. SOLUTION: These vulnerabilities have been patched in Apache 2.2.24 and 2.4.4. Refer to Apache httpd 2.4.4 Changelog and Apache httpd 2.2.24 Changelog. Ubuntu users refer to Ubuntu advisory USN-1765-1 for affected packages and patching details, or update with your package manager. Patch: Following are links for downloading patches to fix the vulnerabilities: Apache 2.2.24 (Apache HTTP Server 2.2.24) Apache 2.4.4 (Apache HTTP Server 2.4.4) COMPLIANCE: Not Applicable EXPLOITABILITY: There is no exploitability information for this vulnerability. ASSOCIATED MALWARE: There is no malware information for this vulnerability. RESULTS: QID 87156 detected on port 80 - Apache/2.2.22 (Ubuntu) 3 Apache HTTP Server Prior to 2.2.25 Multiple Vulnerabilities port 80/tcp QID: 87233 Category: Web server CVE ID: CVE-2013-1896 CVE-2013-1862 Vendor Reference Apache 2.2.25 Bugtraq ID: - Service Modified: 07/15/2013 User Modified: - Edited: No PCI Vuln: Yes THREAT: Apache HTTP Server is an HTTP web server application. Apache HTTP Server versons before to 2.2.25 are exposed to following vulnerabilities: mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator (CVE-2013-1862). mod_dav.c in the Apache HTTP Server versions before 2.2.25 do not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI (CVE-2013-1896). IMPACT: Successfully exploiting these vulnerabilities might allow a remote attacker to execute code or cause denial of service. SOLUTION: These vulnerabilities have been patched in Apache 2.2.25. Refer to Apache httpd 2.2.25 Changelog. Patch: Following are links for downloading patches to fix the vulnerabilities: Apache 2.2.25 COMPLIANCE: Not Applicable EXPLOITABILITY: There is no exploitability information for this vulnerability. ASSOCIATED MALWARE: There is no malware information for this vulnerability. RESULTS: QID 87233 detected on port 80 - Apache/2.2.22 (Ubuntu)
-
sianami over 10 yearsWhen you cross-post at least pay attention to the way you copy/paste! Post in one place. If you picked the wrong one, people can migrate your question to a better site.
-
SwiftD over 10 yearsWhats wrong with my copy/paste technique? I'm a pro with Ctrl-V, built most of my career on it. Further more whats the issue with cross-posting. I'm appealing to two relevant communities regarding the same issue
-
sianami over 10 yearsI suggest you try reading your post from the first sentence.
-
SwiftD over 10 yearsMaybe not such a pro then (edited) - any suggestions on actually applying the security update?
-
Cubiq over 10 yearsyou have the version supposed to solve that issue installed (actually a more recent one). Are you sure you are affected by that bug? It could be something else.
-
SwiftD over 10 years@Cubiq Well now I'm not so sure. I will update the question with the results of the penetration test which set me off on this endeavor
-
-
SwiftD over 10 yearsThank you for the suggestion - I had thought this may be due to the use of rackspace repos but following your instructions I see "Apache is already updated" and it reports the same version number
-
SwiftD over 10 yearsSorry i though my comment made clear this hasnt solved my problem - the fix is not applied everything is as it was when i first asked the question (still failing penetration test due (I think) to Apache security fix not being applied
-
SwiftD over 10 yearsI am accepting your answer since I know it would solve the problem. For my purposes, I have had a great deal of problems compiling from source in the past and have no interest in getting myself involved in manual updates. I am also starting to strongly suspect that these are false positives thrown up by the penetration tests in response to the base apache version number rather than any real vulnerablility (which would have been patched by ubuntu repo contribs). Thank you to everyone who helped me get to the bottom of this - I am currently confirming with the software vendor