In order to pass Trustwave PCI Compliance, I need to upgrade Apache to at least 2.4.14. Is there an `IspConfig3` way of doing it? Or should I just compile it from source? Is it recommended to uninstall Apache2 using apt before compiling from source if I have to go that route?
Probably depends a lot on what OS you're running / how you installed the current apache. Eg. on debian you'd likely have apache 2.2 because you're running an old release (eg. squeeze), so simply update to the current version (jessie) and you'd have 2.4 without any extra effort. If however you compiled/installed apache from source in the first place, then that's likely how you'd go about updating it as well. I would guess (though haven't done this) that it doesn't matter if you have an older version installed while you compile the new version; it would matter when you go to install the new version, ie. make sure all old libraries/modules/everything is cleaned up, config file paths/contents updated, etc. I'm sure a little searching google would fine some specific direction here.
He Jesse, I installed based mostly off the Perfect Server Debian 8 Jessie tutorial - this installs 2.4.10 -- But I think the issues are fixed (mod_lua vulnerabilities and other issues) in 2.4.14. I can't wait for the repos to catch up, my bank charges me fees for not being in compliance. I have installed Apache from source many times before, but not over the top of an apt install. I don't know if, when they do catch up, if they will overwrite my files and cause things to go down.
looks like jessie-backports doesn't have it. If it were me, I'd probably look at taking the debian package source and just updating the apache version in that, so you still install from a package; or maybe swith to Ubuntu 16.04 (https://launchpad.net/ubuntu/xenial/+source/apache2)
You know what, Debian has patched these issues. I just have to dispute their findings with proof that I am using patched versions... For example: https://security-tracker.debian.org/tracker/CVE-2014-8109 Thanks for the help
I wondered already that Debian did not patch these issues. I guess it's a common problem with PCI compliance scans that they don't take into account that Linux Distributions are patching software while the major software version stays the same. In my opinion, from a security standpoint, updating a server with the tools of the Distribution is always better than compiling everything manually.
One more thing I'd like to add. In Monit (which is failing because of TLSv1), there is an SSL VERSION option which is in a later version than what is in 'stable'. I am able to jump ahead of the game using Backports https://wiki.debian.org/Backports.
