Apache Vulnerabilities

We did a penetration test on Groupwise webaccess and it came back with about 20 Apache vulnerabilities!

The recommended solution is to update Apache to the latest version, can I just use Yast to do this?

Thanks
  • fgams;2279843 wrote:
    We did a penetration test on Groupwise webaccess and it came back with about 20 Apache vulnerabilities!

    The recommended solution is to update Apache to the latest version, can I just use Yast to do this?

    Thanks


    What OS are you running?

    Generally speaking using Yast to apply latest updates will not break anything in my experience. However, you will want to read the release notes for whatever version of 2012 you have installed to make sure its a supported platform. Its also good to be upfront with salient details when you post to reduce the cycle time.

    -- Bob
  • Bob-O-Rama;2279851 wrote:
    What OS are you running?


    Sorry Bob, can't imagine anyone running anything other than OES11. ;) I'm runnning Groupwise 2012 on OES11.

    I was thinking of using "zypper up apache2" at the command prompt, but I'm not sure if GW Webaccess has a custom setup of Apache.

    Thanks!
  • just a couple of config files and an apache app as far as I know

    i've done server patching and even entire server updates from oes2 to oes11 without any adverse effects on webacc

    if it's installed on a supported OS platform then it shouldn't cause any issues at all, just bear in mind if you have modified any of the apache config files yourself they might get replaced by new ones from the rpm (the old ones should be renamed .rpmsave anyway though)

    and if you mean OES11 as in OES11 SP0, it's time to put SP1 on the box :)
  • fgams;2279861 wrote:
    Sorry Bob, can't imagine anyone running anything other than OES11. ;) I'm runnning Groupwise 2012 on OES11.

    I was thinking of using "zypper up apache2" at the command prompt, but I'm not sure if GW Webaccess has a custom setup of Apache.

    Thanks!


    Placing updates should not interfere with the configuration files. Instead of only updating the Apache parts, I'd recommend to apply updates for the whole system.

    When using zypper and having OES ontop of SLES, the correct procedure is to run "zypper up -t patch"

    I prefer running the Online Updater in the YaST GUI as conflict messages (if you run in to them) are easier to read/manage imo.

    Cheers,
    Willem
  • fgams;2279861 wrote:
    Sorry Bob, can't imagine anyone running anything other than OES11. ;) I'm runnning Groupwise 2012 on OES11.

    I was thinking of using "zypper up apache2" at the command prompt, but I'm not sure if GW Webaccess has a custom setup of Apache.

    Thanks!


    Placing updates should not interfere with the configuration files. Instead of only updating the Apache parts, I'd recommend to apply updates for the whole system.

    When using zypper and having OES ontop of SLES, the correct procedure is to run "zypper up -t patch"

    I prefer running the Online Updater in the YaST GUI as conflict messages (if you run in to them) are easier to read/manage imo.

    Cheers,
    Willem
  • magic31;2279886 wrote:

    When using zypper and having OES ontop of SLES, the correct procedure is to run "zypper up -t patch"


    Thank you guys. Will do a full backup first.

    I am running OES11 SP0. This probably isn't the forum for it, but I'm confused about the SP1 install. I've seen patches for OES11 that prevent an auto update to SLES11 SP2, what's that about?

    So I've been gun shy about applying SP1, fearing it would screw something up.

    Wish Novell would have a more detailed explanation of the patching sequence and why!

    Thanks again.
  • On 30/08/2013 05:36, fgams wrote:

    > I am running OES11 SP0. This probably isn't the forum for it, but I'm
    > confused about the SP1 install. I've seen patches for OES11 that prevent
    > an auto update to SLES11 SP2, what's that about?


    That will be to stop you upgrading the underlying SLES11 SP1 on an OES11
    (SP0) server to SLES11 SP2 without also upgrading OES11 (SP0) to OES11
    SP1. OES11 (SP0) on SLES11 SP2 is not a valid or supported combo and you
    have to upgrade both SLES and OES together.

    > Wish Novell would have a more detailed explanation of the patching
    > sequence and why!


    HTH.
    --
    Simon
    Novell Knowledge Partner

    ------------------------------------------------------------------------
    Do you work with Novell technologies at a university, college or school?
    If so, your campus could benefit from joining the Technology Transfer
    Partner (TTP) program. See novell.com/ttp for more details.
    ------------------------------------------------------------------------
  • On 29/08/2013 16:49, fgams wrote:

    > Sorry Bob, can't imagine anyone running anything other than OES11. ;)
    > I'm runnning Groupwise 2012 on OES11.


    Since you've said you're using OES11 (SP0) I'll note that latest version
    of GroupWise 2012 is GroupWise 2012 SP2.

    > I was thinking of using "zypper up apache2" at the command prompt, but
    > I'm not sure if GW Webaccess has a custom setup of Apache.


    Well if there Apache patches available in the SLES11-SP1-Updates catalog
    that will will update Apache.

    You should also note that depending on how the penetration test
    determined there were Apache vulnerabilities with your GW WebAccess
    server it may be that it will still think there are some even after
    updating OES11 and/or GW2012.

    The reason for this will be because some penetration tests check version
    strings and believe them without probing further. SUSE will backport
    security fixes for later software packages into known stable earlier
    versions so the version appears to be old (and therefore considered
    vulnerable) but the fix is in place.

    One way to "fix" this with Apache is to not report the Apache version -
    you can do this by setting APACHE_SERVERTOKENS in /etc/sysconfig/apache2
    to ProductOnly, Major, or Minor. See
    http://httpd.apache.org/docs/2.2/mod/core.html#servertokens for what
    each of those will report.

    HTH.
    --
    Simon
    Novell Knowledge Partner

    ------------------------------------------------------------------------
    Do you work with Novell technologies at a university, college or school?
    If so, your campus could benefit from joining the Technology Transfer
    Partner (TTP) program. See novell.com/ttp for more details.
    ------------------------------------------------------------------------
  • fgams;2280731 wrote:
    Now that's helpful, Thanks!


    Feedback is important (both negative and positive) and always appreciated. In the past we have we have not actively solicited feedback from the Community and left it up to individual Members to provide feedback (as you did in your post) when they saw fit... but this is changing.

    When you, or anyone for that matter, see a post you find particularly helpful you can show your appreciation by clicking on the star below the post. You can optionally leave a brief comment which is always appreciated but it is not necessary.

    Clicking on the star assigns reputation points to the poster but more importantly it identifies those posts you find most helpful and notifies both the poster and website administrators. Our goal is to improve the way we support the Community by providing the type of information you find most useful. For that to happen, Members' feedback is essential!

    Thank you.