Upgrade Apache to the latest version 2.4.54

Hello Rocky,

I have just moved from CentOS to Rocky and i installed the latest Apache available in 9.1 (Blue Onyx). I found out that this is version i.e. 2.4.53. However there is already a new one i.e. 2.4.54. I have to upgrade because of one particular problem that is fixed in 2.4.54 i.e. ( CVE-2022-30556). I am curious is there a way in rocky where i can enable additional repository where 2.4.54 already exists . I have already enabled epel and crb repositories. Maybe there is one for the new versions of Apache ?

current version in 9.1 (Blue Onyx):

apachectl -v
Server version: Apache/2.4.53 (Rocky Linux)
Server built:   Jul 20 2022 00:00:00

latest version:

June 08, 2022 - 
Apache HTTP Server 2.4.54

https://downloads.apache.org/httpd/Announcement2.4.html

The answer is “no”.

Rocky has what RHEL has and Red Hat backports features and fixes into the RHEL. See https://access.redhat.com/solutions/57665

https://access.redhat.com/security/cve/cve-2022-30556 claims that CVE-2022-30556 is “Fixed” in RHEL 9. Indeed, it is mentioned in the 2.4.53-7:

$ sudo dnf rq --changelogs httpd | head -15
Last metadata expiration check: 0:02:12 ago on Sun 01 Jan 2023 03:45:02 PM EET.
Changelog for httpd-2.4.53-7.el9.x86_64
* Wed Jul 20 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-7
- Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request
  smuggling
- Resolves: #2097032 - CVE-2022-28615 httpd: out-of-bounds read in 
  ap_strcmp_match()
- Resolves: #2098248 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped
  by hop-by-hop mechanism
- Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()
- Resolves: #2097452 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody
- Resolves: #2097459 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability
- Resolves: #2097481 - CVE-2022-30556 httpd: mod_lua: Information disclosure
  with websockets

* Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6

many thanks for the reply , as long as it is fixed it 2.4.53-7.el9 no upgrades are required. I was not aware of the back ports that you mentioned. thank you!!!

We are also working on getting Errata information into Rocky Linux 9. That should happen in Q1 of this year… That way you’ll be able to query with DNF for specific CVEs, as well as search for them on https://errata.rockylinux.org. I will be doing a series of blog posts leading up to the Rocky 9 Errata feature about how we’re approaching the errata situation and what our new build system and errata tool means for Rocky long term.

Hi @neil

Will this Errata information will be available for Rocky Linux 8 ? We dont have any plan to migrate to 9 atleast next 5 years.

@linuxlover from the link @neil posted, it already has Rocky Linux 8 errata information, it just doesn’t have Rocky 9 errata yet.

Yep @linuxlover - EL8 has Errata information and you can use e.g. dnf update --security to pull only security updates.