Upgrade Apache from 2.2 to 2.4 on SLES11 SP4

SUSE Linux Enterprise Server SLES Configure-Administer
1

Hi.
On a SLES11 SP4 we’ve got Apache 2.2.34 installed. All its web sites work fine but as Apache 2.2 reached end of live on Jan2018 (as it can be read on https://httpd.apache.org/), which means that no security patches are published anymore, is it absolutely necessary to upgrade to Apache 2.4? And as Apache 2.4 is unsupported by SUSE on SLES11 SP4 anyway, would upgrading to Apache 2.4 really make the server more secure?
Basically, what is your expert advice? What should be the best action to be taken in this situation?
Many Thanks.

2

On 08/05/18 11:44, lcastello wrote:
[color=blue]

On a SLES11 SP4 we’ve got Apache 2.2.34 installed. All its web sites
work fine but as Apache 2.2 reached end of live on Jan2018 (as it can be
read on https://httpd.apache.org/), which means that no security patches
are published anymore, is it absolutely necessary to upgrade to Apache
2.4? And as Apache 2.4 is unsupported by SUSE on SLES11 SP4 anyway,
would upgrading to Apache 2.4 really make the server more secure?
Basically, what is your expert advice? What should be the best action to
be taken in this situation?[/color]

The first thing to note is that whilst SLES11 SP4 is limited to Apache
2.2.x that doesn’t mean it has the same vulnerabilities as Apache 2.2.x
as SUSE backport fixes from later versions of Apache.

That being said if you are concerned about the version of Apache you’re
running then you can upgrade although it seems the only supported option
(by SUSE) is to upgrade/migrate your server to SLES12 SPn to get Apache
2.4.x.

If you want Apache 2.4.x on SLES11 SP4 you can install Apache 2.4.33
from the openSUSE Build Service
https://build.opensuse.org/package/show/Apache/apache2 but it would
unsupported by SUSE.

Personally I would either stick with Apache 2.2.x on SLES11 SP4 (making
sure server is fully updated, not just with Apache updates) or migrate
to Apache 2.4.x on SLES12 SP3. For production I wouldn’t upgrade/replace
Apache 2.2.x with 2.4.x, from either the openSUSE Build Service or some
other way.

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

3

Hi Simon.
I very much appreciate your reply. It is extremely helpful. As we don’t need any specific feature from Apache 2.4 we, most likely, should stick with Apache 2.2 on SLES 11 SP4.
Your reply though, raises a couple of more questions:

  • Regarding the backport fixes, does that mean that Apache 2.2.x can get security fixes from even Apache 2.4.x thanks to the SLES 11 SP4 backport?
  • And will these backport fixes come throught the standard repositories SLES11-SP4-Pool and SLES11-SP4-Updates, or some extra repository needs adding to my repo list in order to get the backport fixes? In other words, are these two default repos enough to keep the server fully updated?
    Many thanks again.
    Luis
4

On 09/05/18 12:44, lcastello wrote:
[color=blue]

I very much appreciate your reply. It is extremely helpful. As we don’t
need any specific feature from Apache 2.4 we, most likely, should stick
with Apache 2.2 on SLES 11 SP4.
Your reply though, raises a couple of more questions:

  • Regarding the backport fixes, does that mean that Apache 2.2.x can get
    security fixes from even Apache 2.4.x thanks to the SLES 11 SP4
    backport?[/color]

Depending on the nature of the issue and/or fix yes it’s possible for
SUSE’s Apache 2.2.x for SLES11 SP4 to include a fix from Apache 2.4.x.
[color=blue]

  • And will these backport fixes come throught the standard repositories
    SLES11-SP4-Pool and SLES11-SP4-Updates, or some extra repository needs
    adding to my repo list in order to get the backport fixes? In other
    words, are these two default repos enough to keep the server fully
    updated?[/color]

So long as your server has access to the two SLES11-SP4-Pool and
-Updates repos it should receive any updates. This means your server
will need to be registered, either directly to Novell (Micro Focus)/SUSE
Customer Center (NCC/SCC) or a local SUSE Manager or SMT server.

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

5

Hi Simon.
Excellent answer with very valuable content. Thanks for teaching me about the backporting on SLES, which I had no idea before! :wink:
Luis