Need to upgrade apache2 and php5 for security reasons
Stephan Hermann
sh at sourcecode.de
Tue Jul 1 19:36:25 BST 2008
Good Evening Scott, Chris and all,
On Tue, 1 Jul 2008 10:06:21 -0400
Scott Kitterman <ubuntu at kitterman.com> wrote:
> On Monday 30 June 2008 10:52, Christian Desrochers wrote:
> > Hi all,
> >
> > Our web servers have been checked recently by an external security
> > firm. We have been told that our web servers need to be upgraded to
> > the latest version in order to fix some security issues.
Yes, that's normal, because those companies are sometimes stupid,
and wasting customer's money. Actually, what you want is something
like this in your production apache conf:
ServerSignature Off
ServerTokens Prod
First, ServerSignature Off disables all apache generated footer
signatures (e.g. when you have only a DirectoryListing)
Second, ServerTokens Prod gives the requester nothing like:
Server: Apache
in your server http response header.
Most companies who are doing those checks (let me guess, you need a
verification for credit card handling? ;)) are now very puzzled, and
telling you: "well, we can't determine your version...which is bad for
us, but good for you".
Another way to secure yourself is mod_security.
http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html
> >
> > I know that I can download and compile these programs myself, but
> > for future updates, it becomes complicated since we have lots of
> > servers...
> >
> > Currently, for Gutsy, the version of Apache is 2.2.4-3ubuntu0.1 and
> > PHP is PHP5.2.3-1ubuntu6.3.
> >
> > Any ideas on how to softly upgrade those two packages?
Yes, dapper should be updated to the latest security patch, whatever is
not patched, please inform us via launchpad.net/ubuntu/+source/apache2
and file a security bug. Try to upgrade from gutsy to hardy if you can,
if not, stay up2date via -security for gutsy, until gutsy is EoL.
> Did this external security firm check to see what security fixes have
> been added to those releases or did they just look at version
> numbers?
They don't do that...it's a "formal" request check...what is your
apache giving us, do you have tls+smtp auth+bla enabled on your smtp
server, to you support sslv3 or simple sslv2...blabla...
waste of money but necessary for people who are in need of those
checks. some CreditCard clearance companies want to have those reports.
Regards,
\sh
More information about the ubuntu-devel
mailing list