AIX Open Source

 View Only
  • 1.  Need Apache httpd 2.4.62

    Posted Tue July 23, 2024 09:55 AM

    Although Apache httpd was just recently updated to version 2.4.61 in the AIX Toolbox, there is already a new 2.4.62 version to fix multiple vulnerabilities that has been rated a "Medium" severity by Tenable Nessus.  Please make Apache httpd 2.4.62 (or later) available at your earliest opportunity.

    Thank you!



    ------------------------------
    Roger Weaver
    ------------------------------


  • 2.  RE: Need Apache httpd 2.4.62

    Posted Tue July 30, 2024 11:36 PM

    Hi Roger - I checked with team late last week, this rshould be getting published very soon 



    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin
    ------------------------------



  • 3.  RE: Need Apache httpd 2.4.62

    Posted Thu August 01, 2024 03:12 AM

    Httpd 2.4.62 is now available in AIX Toolbox. 

    You can use DNF to update to this version from the AIX Toolbox repository.



    ------------------------------
    RESHMA KUMAR
    ------------------------------



  • 4.  RE: Need Apache httpd 2.4.62

    Posted Fri October 04, 2024 11:15 AM
    Edited by Scott Gruber Fri October 04, 2024 11:22 AM

    Hi Reshma,

    Our security department is flagging Apache SSL as vulnerable. Tenable is expecting openssl 1.1.1za in their scans, but they are getting openssl 1.1.1y

    From Nessus : 

    Nessus Plugin ID:

    Nessus Plugin Name:

    Latest CVE (if applicable):

    201084

    OpenSSL 1.1.1<1.1.1za Vulnerability

    CVE-2024-5535

    We have the ifix in place :

    ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT

    === ===== ========== ================= ========== ======================================

    1    S    3013sa     08/22/24 15:26:00            ifix for openssl july CVEs            

    However curl is reporting :

     curl : Apache reports for HTTP       : Server: Apache/2.4.62 (Unix) OpenSSL/1.1.1y

     curl : Apache reports for HTTPS     : Server: Apache/2.4.62 (Unix) OpenSSL/1.1.1y

    When is httpd/mod_ssl anticipated to be updated or does the ifix in place fix this vulnerability ?

    Our OS level is :  7300-02-02-2420

    Thanks



    ------------------------------
    Scott Gruber
    ------------------------------



  • 5.  RE: Need Apache httpd 2.4.62

    Posted Thu October 10, 2024 06:02 AM

    Hi Scott,
    Installed ifix fixes the reported CVE (CVE-2024-5535) in openssl. 
    Since httpd is dynamically linked to the openssl library, it is not required to update httpd. 



    ------------------------------
    RESHMA KUMAR
    ------------------------------



  • 6.  RE: Need Apache httpd 2.4.62

    Posted 21 days ago

    Hello Reshma,

    I compile Apache HTTP Server packages for my customer.
    So far I have been successful in compiling all previous versions of Apache HTTP Server on Linuxes (Redhats and SuSE only) and AIX 7.1 and 7.2 prior to 2.4.59 using both gcc (Linuxes) or XLC++ compilers (on AIX).

    I'm currently facing an issue with "make install" of httpd failing .
    Please see some of the BUILD output below of the successful compilation of version 2.4.58 compared to the current problematic compilation of version 2.4.62

    Here is my BUILD log output from a previous compile , which was successful for Version 2.4.58 using XLC++ compiler version 16.1.0
    I am providing the section showing the error.
    Both versions are compiled with Openssl version 3.1.0 (which I compiled separately)
    AIX 7.1 => oslevel -s : 7100-05-12-2320 
    AIX 7.1 => oslevel -s : 7200-05-08-2420
    .....................
    Making install in worker
    make[3]: Entering directory '/tmp/build_apache_24/httpd-2.4.58/server/mpm/worker'
    make[4]: Entering directory '/tmp/build_apache_24/httpd-2.4.58/server/mpm/worker'
    mkdir /applications/apache/2.4.58.0/modules
    rm -f /applications/apache/2.4.58.0/modules/mod_mpm_worker.so
    /applications/apache/2.4.58.0/apr-1/build/libtool --silent --mode=install install mod_mpm_worker.la /applications/apache/2.4.58.0/modules/
    make[4]: Leaving directory '/tmp/build_apache_24/httpd-2.4.58/server/mpm/worker'
    make[3]: Leaving directory '/tmp/build_apache_24/httpd-2.4.58/server/mpm/worker'
    Making install in prefork
    ............
    and here is the current BUILD log from version 2.4.62 the current failing at "make install" using XLC++ compiler version 16.1.0
    ...................
    Making install in worker
    make[3]: Entering directory '/tmp/build_apache_24/httpd-2.4.62/server/mpm/worker'
    make[4]: Entering directory '/tmp/build_apache_24/httpd-2.4.62/server/mpm/worker'
    mkdir /applications/apache/2.4.62.0/modules
    rm -f /applications/apache/2.4.62.0/modules/mod_mpm_worker.so
    /applications/apache/2.4.62.0/apr-1/build/libtool --silent --mode=install install mod_mpm_worker.la /applications/apache/2.4.62.0/modules/
    find: bad status-- /applications/apache/2.4.62.0/modules/mod_mpm_worker.so
    install: File mod_mpm_worker.so was not found.
    .......................

    Any idea if there maybe is an export of some path I'm missing here, which is causing the "find: bad status-- "??


    May you please share the list of all your AIXToolbox components from the system(s), where your package for Apache HTTP Server version 2.4.62 was compiled.
    An outputs of rpm -qa , oslevel would just do.

    FYI:
    I also found some solutions like:
    https://community.spiceworks.com/t/apache-httpd-server-installation-issue/837130/3
    and more.
    I also invested some time in trying the option:
    --enable-layout=BLFS
    BUT was fruitless.

    Thanks
    Regards
    Joey



    ------------------------------
    Joseph Dinha
    ------------------------------



  • 7.  RE: Need Apache httpd 2.4.62

    Posted 18 days ago
      |   view attached

    Can you check whether mod_mpm_worker.so is created? It is present in <build_dir>/httpd-2.4.62/server/mpm/worker/.libs path in our case.
    Following are the requested outputs.
    # oslevel -s
    7100-04-01-1543
    Attaching rpm -qa output.
    You can also refer the latest spec file from toolbox https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/SPECS/httpd-2.4.62-1.spec



    ------------------------------
    RESHMA KUMAR
    ------------------------------

    Attachment(s)

    txt
    rpm_qa_out.txt   10 KB 1 version