perfSONAR User Q&A and Other Discussion

[Fernando Redigolo <>]

Christoph and Jason.

Thanks for the feedack. We are working with the Brazilian NREN to deploy 
Science DMZs at several institutions and one of the institutions' security 
team pointed out during a security audit several vulnerabilities related to 
Apache 2.2 in the perfSONAR toolkit nodes, recommending their upgrade to 
version 2.4. We were expecting that this problem had already appeared in the 
perfSONAR community and, as nobody apparently had tried that before, we 
started to investigate it further. The vulnerabilities we analyzed so far 
turned out to be false positives: RedHat backports some security patches to 
their version of Apache 2.2, without changing the version number. This is 
better explained at:  

http://crimsonfu.github.io/2013/08/06/backporting-and-scanners.html

https://access.redhat.com/site/security/updates/backporting/

So far we are manually comparing the vulnerabilities pointed by their 
scanning with the current status provided by RedHat, but it seems that we 
will not need to upgrade Apache to the latest version. We will post any 
update we have on the issue.

Regards,
  
Fernando Redigolo

------------------------------------------------------------------------
Laboratory of Computer Networks and Architecture
University of São Paulo
e-mail: 

phone. : +55 11 3091-5261
fax.: +55 11 3091-5280

On 25/06/2014, at 17:05, Christoph Galuschka 
<>
 wrote:

> Hi Luis,
> 
> I would just like to point out, that you are on your own when moving to 
> 2.4.9. There will be no support (and no security updates for 2.4.9) from 
> the CentOS-project side of things. So at least for the security updates of 
> httpd: you will have to take care of those yourself.
> 
> Also out of curiosity, is there a specific feature you are looking for in 
> 2.4.9?
> 
> all the best
> Christoph
> 
> Am 25.06.2014 21:25, schrieb Jason Zurawski:
>> Hi Luis;
>> 
>> Since this is an unsupported operation, its hard to say if things will 
>> work or not.  As long as the new apache instance respects the old 
>> locations of content and configuration files, things may work fine.  In 
>> particular the toolkit uses mod_auth_shadow for some of the management of 
>> users and content.  If the new apache has locations that are drastically 
>> different than the current version of apache (2.2.15), things may fail.
>> 
>> If you are successful, please share any notes on the process with the 
>> list, and we can be sure they are posted somewhere for others who wish to 
>> do this.
>> 
>> Good luck;
>> 
>> -jason
>> 
> 
> -- 
> Christoph Galuschka
> CentOS-QA member | IRC: tigalch