Need to upgrade apache2 and php5 for security reasons

[Darren Albers]

On Mon, Jun 30, 2008 at 10:52 AM, Christian Desrochers
<zechris at gmail.com> wrote:
> Hi all,
>
> Our web servers have been checked recently by an external security firm. We
> have been told that our web servers need to be upgraded to the latest
> version in order to fix some security issues.
>
> Security updates are applied every week on our servers. If I want to upgrade
> Apache to version 2.2.9 and PHP to 5.2.6, how do I proceed if my servers are
> already up to date and if there is nothing to upgrade, even when I use the
> backports repository? I have both dapper and gutsy systems.
>
> I know that I can download and compile these programs myself, but for future
> updates, it becomes complicated since we have lots of servers...
>
> Currently, for Gutsy, the version of Apache is 2.2.4-3ubuntu0.1 and PHP is
> PHP5.2.3-1ubuntu6.3.
>
> Any ideas on how to softly upgrade those two packages?
>
> Thanks,
>
> Chris
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>
>

Christian,

As an Information Security Manager for a Fortune 200 let me throw in
with the chorus of people telling you the same thing:
They are reading the banner only and their report should include the
caveat that they were reading the banner only and you should validate
that your vendor is backporting fixes.

With most Open Source vendors an application version is frozen and
security fixes are backported.   This allows customers to have a
stable platform knowing that nothing will change except security
patches.   You should look at the CVE numbers in the report and
validate that those fixes have been applied to the Ubuntu packages in
question.   You can download the package changelog to confirm this.

Thanks!