PDA

View Full Version : SLES 11 SP4 Upgrade Apache from 2.2 to 2.4 on SLES11 SP4



lcastello
08-May-2018, 11:43
Hi.
On a SLES11 SP4 we've got Apache 2.2.34 installed. All its web sites work fine but as Apache 2.2 reached end of live on Jan2018 (as it can be read on https://httpd.apache.org/), which means that no security patches are published anymore, is it absolutely necessary to upgrade to Apache 2.4? And as Apache 2.4 is unsupported by SUSE on SLES11 SP4 anyway, would upgrading to Apache 2.4 really make the server more secure?
Basically, what is your expert advice? What should be the best action to be taken in this situation?
Many Thanks.

smflood
08-May-2018, 11:58
On 08/05/18 11:44, lcastello wrote:

> On a SLES11 SP4 we've got Apache 2.2.34 installed. All its web sites
> work fine but as Apache 2.2 reached end of live on Jan2018 (as it can be
> read on https://httpd.apache.org/), which means that no security patches
> are published anymore, is it absolutely necessary to upgrade to Apache
> 2.4? And as Apache 2.4 is unsupported by SUSE on SLES11 SP4 anyway,
> would upgrading to Apache 2.4 really make the server more secure?
> Basically, what is your expert advice? What should be the best action to
> be taken in this situation?

The first thing to note is that whilst SLES11 SP4 is limited to Apache
2.2.x that doesn't mean it has the same vulnerabilities as Apache 2.2.x
as SUSE backport fixes from later versions of Apache.

That being said if you are concerned about the version of Apache you're
running then you can upgrade although it seems the only supported option
(by SUSE) is to upgrade/migrate your server to SLES12 SPn to get Apache
2.4.x.

If you want Apache 2.4.x on SLES11 SP4 you can install Apache 2.4.33
from the openSUSE Build Service
https://build.opensuse.org/package/show/Apache/apache2 but it would
unsupported by SUSE.

Personally I would either stick with Apache 2.2.x on SLES11 SP4 (making
sure server is fully updated, not just with Apache updates) or migrate
to Apache 2.4.x on SLES12 SP3. For production I wouldn't upgrade/replace
Apache 2.2.x with 2.4.x, from either the openSUSE Build Service or some
other way.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

lcastello
09-May-2018, 12:34
Hi Simon.
I very much appreciate your reply. It is extremely helpful. As we don't need any specific feature from Apache 2.4 we, most likely, should stick with Apache 2.2 on SLES 11 SP4.
Your reply though, raises a couple of more questions:
- Regarding the backport fixes, does that mean that Apache 2.2.x can get security fixes from even Apache 2.4.x thanks to the SLES 11 SP4 backport?
- And will these backport fixes come throught the standard repositories SLES11-SP4-Pool and SLES11-SP4-Updates, or some extra repository needs adding to my repo list in order to get the backport fixes? In other words, are these two default repos enough to keep the server fully updated?
Many thanks again.
Luis

smflood
09-May-2018, 13:58
On 09/05/18 12:44, lcastello wrote:

> I very much appreciate your reply. It is extremely helpful. As we don't
> need any specific feature from Apache 2.4 we, most likely, should stick
> with Apache 2.2 on SLES 11 SP4.
> Your reply though, raises a couple of more questions:
> - Regarding the backport fixes, does that mean that Apache 2.2.x can get
> security fixes from even Apache 2.4.x thanks to the SLES 11 SP4
> backport?

Depending on the nature of the issue and/or fix yes it's possible for
SUSE's Apache 2.2.x for SLES11 SP4 to include a fix from Apache 2.4.x.

> - And will these backport fixes come throught the standard repositories
> SLES11-SP4-Pool and SLES11-SP4-Updates, or some extra repository needs
> adding to my repo list in order to get the backport fixes? In other
> words, are these two default repos enough to keep the server fully
> updated?

So long as your server has access to the two SLES11-SP4-Pool and
-Updates repos it should receive any updates. This means your server
will need to be registered, either directly to Novell (Micro Focus)/SUSE
Customer Center (NCC/SCC) or a local SUSE Manager or SMT server.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

lcastello
23-May-2018, 09:44
Hi Simon.
Excellent answer with very valuable content. Thanks for teaching me about the backporting on SLES, which I had no idea before! ;)
Luis