Apache httpd 2.4.58-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.11.
We build OpenSSL+QUIC 3.0.11 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:
dnf module enable httpd:codeit
Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
Hello dear,
Recently I downloaded apache package with version (Server version: Apache/2.4.58 (codeit)) from your repository but we have an issue with (suexec), when we make scan on the server that run httpd it shows this vulnerability:
—————————————————————-
The remote host appears to be running Apache and is potentially
affected by the following vulnerabilities:
— Multiple race conditions exist in suexec between the
validation and usage of directories and files. Under
certain conditions local users are able to escalate
privileges and execute arbitrary code through the
renaming of directories or symlink attacks.
(CVE-2007-1741)
— Apache’s suexec module only performs partial
comparisons on paths, which could result in privilege
escalation. (CVE-2007-1742)
— Apache’s suexec module does not properly verify user
and group IDs on the command line. When the ‘/proc’
filesystem is mounted, a local user can utilize suexec
to escalate privileges. (CVE-2007-1743)
Note that this plugin only checks for the presence of Apache, and does
not actually check the configuration.
—————————————————————-
I tried to delete /usr/sbin/suexec and restart httpd service but that does not work.
So please we need your support to disable suexec from server.
Thanks,
Hello Abdullah,
The message you receive clearly shows that vulnerability test was not able to get Apache httpd version and says «potentially affected» to 3 vulnerabilities from 2007 that were fixed 17 years ago.
Please do not delete suexec, as this scanner never tested it, it’s a potentional warning.
At the same time you have 3 known CVEs in 2.4.58, please update to 2.4.59.