Upgrading Apache to 2.4.48

Upgrading Apache to 2.4.48

by Barrington Womble -
Number of replies: 8

Dear all,

I have installed the latest version of Moodle 3.11 using a Bitnami Virtual Machine and it works really well.

I have since run a scan using Nessus and it reports that the Apache version 2.4.46 has many vulnerabilities and should be updated.

I thought this would be straightforward enough, but I was wrong!

Please could someone advise me if there is a simple command line or any other method that I can use to simply update Apache in place without needing to be a programming genius.

Its running in a VM so I am able to make checkpoints/snapshots before changes, and it isn't being used yet so I can update without effecting any users.

Many thanks

Average of ratings: -
In reply to Barrington Womble

Re: Upgrading Apache to 2.4.48

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
This isn't really a Moodle issue.

As you used Bitnami I would suggest that it might be a question for Bitnami.

I don't know anything about Bitnami but this is why I would use Ubuntu/CentOS etc. as they're usually really responsive to any security reports.
Average of ratings: -
In reply to Barrington Womble

Re: Upgrading Apache to 2.4.48

by Ken Task -
Picture of Particularly helpful Moodlers

+1 for Howard's comments.

For stack related issues, best to use Bitnami's forums.

Solution .... maybe?

https://community.bitnami.com/t/is-there-a-way-to-update-php-and-apache-in-bitnami-community-amis-without-migrating/72617

'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: Upgrading Apache to 2.4.48

by Barrington Womble -
Thanks, I'll head over to the Bitnami Forums and see if there's any solutions.

Is anyone using Apache in their Moodles'? If Apache 2.4.46 is the one built into the latest Debian, then could there be a security issue here?

Thanks
Average of ratings: -
In reply to Barrington Womble

Re: Upgrading Apache to 2.4.48

by Ken Task -
Picture of Particularly helpful Moodlers

Bunches of folks use Apache - but not installed and maintained by Bitnami.

Example of CentOS 7:

[root@cli]# /usr/sbin/httpd -V
Server version: Apache/2.4.6 (CentOS)

Am certain Ubuntu - any long term support version of the OS has the latest/most secure apache available.   Same for Debian.

Since Apache sits in front of moodle PHP code, a security issue in Apache may not be controlled by any PHP code.

Sorry ... but the bitnami stack, while it was easy to install initially, is difficult to maintain ... especially when one needs only an update to a part of the stack - Apache or MySQL/MariaDB/PHP.   From the link provided earlier it appears using Bitnami one has to update the entire stack to get a fix for any of the parts.

That's why it's best to use native package managers ... Bitnami cannot.

'SoS', Ken

Average of ratings: Useful (2)
In reply to Barrington Womble

Re: Upgrading Apache to 2.4.48

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
2.4.6 on production boxes
2.4.48 on my dev boxes
blah blah

Don't take this the wrong way - but do you have sufficient expertise to ensure that all aspects of your server are acceptibly 'secure' or did you just run one of these annoying security scans? My point is that systems are as secure as their weakest link and that's almost always the sysadmin wink
Average of ratings: -
In reply to Howard Miller

Re: Upgrading Apache to 2.4.48

by Barrington Womble -
I just run annoying security scans and ask questions on forums rather than bothering to google anything for myself.
Just an IT Support person, doing what I'm told.

Thanks for all your helpful feedback. Bitnami have released a new update which includes the Apache 2.4.48 update due to the security issues.

The Bitnami stacks are fully updateable, its just the Apache updating I was having difficulty with, and I couldn't find any clear examples of how to update Apache safely.
I knew mentioning Bitnami was a mistake, saw this coming!

Just for reference, the Nessus scans are now mandatory for UK education establishments to pass the Cyber Security Essentials which has a bearing on funding in the future, and a service that is exposed to the internet has to have no critical security risks. Sadly Apache 2.4.46 does

https://www.tenable.com/plugins/nessus/139574
Average of ratings: -
In reply to Barrington Womble

Re: Upgrading Apache to 2.4.48

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
"I knew mentioning Bitnami was a mistake, saw this coming!"

There's hope for you yet then....

JOKING!! big grin big grin

All I said was that I didn't know anything about Bitnami. I don't. I only tried it once and couldn't get anything to work. In my defence we get tickets every other day, "I ran security scan software xyz and it said that....". You'll excuse us, I hope, if it gets a bit frustrating. 
Average of ratings: -
In reply to Barrington Womble

Re: Upgrading Apache to 2.4.48

by Ken Task -
Picture of Particularly helpful Moodlers

Have a suggestion for ya ... in your 'spare time' (if you are really curious to explore native build vs something like Bitnami) ...

Crank up  a Ubuntu LTS 20.x minimal and build ... PHP, MySQL, Apache/nGinx box.   Use git to install and maintain the moodle.

Here's where you might finally conclude ...

Bitnami easy to get up and running.

Not so good to update when needed ... that includes Moodle code.

Build your own ... native ... a little more trouble to get up and running (but not rocket science), but since you built ... you know that server.  In the long run, a box you build is best ... from your perspective!

Interchangeable parts ... assembly line ... those have been around a long time ... still with us!   Is there any wonder why?

My 'ancient' 2 cents and suggestion!

'SoS', Ken

Average of ratings: Useful (1)