Update Apache to 2.4

Bug #939300 reported by SeanBoran on 2012-02-23
310
This bug affects 63 people
Affects Status Importance Assigned to Milestone
Automated Suggestions for Raring Ringtail
Invalid
Wishlist
Unassigned
apache2 (Debian)
Fix Released
Unknown
apache2 (Ubuntu)
Wishlist
Unassigned

Bug Description

I'm not sure where the right place to add this suggestion is,
but it would be great if the new Apache 2.4 could make into the new Ubuntu LTS release ..

https://blogs.apache.org/foundation/entry/the_apache_software_foundation_celebrates
http://httpd.apache.org/docs/2.4/new_features_2_4.html

Thanks,
Sean

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/939300/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
Robert Roth (evfool) on 2012-02-23
tags: added: needs-packaging
Changed in ubuntu:
importance: Undecided → Wishlist
Marc Deslauriers (mdeslaur) wrote :

From a security point of vue, we have no preference between 2.2 and 2.4.

Of course, having 2.4 go into a stable LTS immediately after it's released may not be recommended from a maintenance and stability point of vue.

Mark Schouten (mark-prevented) wrote :

Well, it would be odd to release an LTS with an aged webserver. The first year won't be an issue, but after that first year, Ubuntu Precise is just like Debian.. Running behind. :)

SeanBoran (sean-boran) wrote :

I agree with both #3 and #4, its a question of whats the best compromise, whether its too late in the release cycle, and if not, what is the procedure to do fast track in a key change in a controlled and successful way.
This issue is obviously much more important for the server edition.

As regards #1, its unclear to me how to assign this bug to a specific release or package.

Nicholas Partridge (nmp0906) wrote :

I think this is very important for businesses who rely on LTS release cycles. We are currently running 10.04 LTS and will upgrade to 12.04 LTS before year's end. For our proxies, the feature set of Apache 2.4 is important to us. If 12.04 LTS launches with Apache 2.2 it may be reluctant to upgrade to 2.4 mid-cycle. If it were to push for a 2.4 inclusion in the 12.04 LTS launch, it can address bugs and such during the lifespan of 12.04 LTS.

Kevin (kevinshlee) wrote :

http://www.linuxstall.com/apache-2-4-released/
I think it should be added to 12.04. If anyone worries about any security issues of Apache HTTP server 2.4, he/she can postpone upgrading to Ubuntu 12.04 until he/she thinks it's OK. Besides, if you worry about security issues in the early release of Apache HTTP server 2.4, how can you install Ubuntu 12.04? It isn't even released yet so is even younger than Apache HTTP server 2.4. Thus I don't think you can install Ubuntu 12.04 soon after its release anyway if you can't install Apache 2.4 because it's too young to install. It's also too bad to wait for 2.4 for about two more years as this version seems to have a huge improvement.

Apreche (apreche) wrote :

Why can't both be included in the LTS? There could be a package named apache-2.2 and one named apache-2.4.

Benjamin Baumer (bbaumer-abm) wrote :

I hope apache-2.4 will be added to 12.04. The missing OCSP Support in apache-2.2 for the next 5 Years will force Users to install apache-2.4 from Source.
Like apreche in #8 I prefer including both apache-2.2 and apache-2.4 Packages in 12.04.

For what it's worth, I'd also like to have apache 2.4 in 12.04 LTS.

MaikL (news4maikl) wrote :

I hope apache 2.4 will make it in 12.04. It will last at least 2 years on our server, so please give it a chance.

Thomas E. Deutsch (tdeutsch) wrote :

We need it too in 12.04

Malte S. Stretz (mss) wrote :

It looks like it won't be possible to simply ship an apache2-2.4 package in parallel since the ABI has changed which means that all modules etc. had to be shipped in an -2.4 version as well: http://lists.debian.org/debian-devel-announce/2012/03/msg00013.html

Hadmut Danisch (hadmut) wrote :

Well,

in my eyes it was definitely a wrong decision to ship a 2012 long time distribution with an old and outdated web server.

The first problem is that an LTS server ubuntu should last 5 years, but you cannot expect a software to be maintained that long if it is already outdated right now.

The second problem is that if someone needs apache 2.4 - which, after all, is not just some unimportant tool but a core server component - he has to mix in other packets and thus break the integrity of the ubuntu system.

Very bad decision.

Nicholas Partridge (nmp0906) wrote :

It's not necessarily a bad decision to ship without 2.4. 2.4 was just released and to put it in an LTS distro right away would have been a bit rushed. We should be able to provide an apache-2.4 package and dependent modules that are named with the -2.4 as well. When the ABI changes, this seems to be common practice such as with php4 and php5 modules. If Apache 2.4 won't be supported in the near future, we'll probably be looking elsewhere for our proxies, whether pulling from another repo or going with a different distro altogether.

Ragimiri (ragimiri) wrote :

Apache 2.4 has big benefit - support for TLS 1.1 and 1.2. Old version supports only SSL2, SSL3 and TLS 1.0 that are vulnerable to BEAST attack.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html

Jeremy Bicha (jbicha) wrote :

Here's the Debian Apache2.4 transition bug: http://bugs.debian.org/661958

The Debian developers have ran out of time to get Apache 2.4 into the next Debian release, Wheezy. There are a large number of modules that need to be fixed for 2.4 so I doubt that this transition would even happen before Ubuntu 13.04.

affects: ubuntu → apache2 (Ubuntu)
summary: - precise 12.04: consider adding Apache 2.4 ?
+ Update Apache to 2.4
Jeremy Bicha (jbicha) on 2012-05-27
tags: added: upgrade-software-version
removed: needs-packaging
Changed in apache2 (Debian):
status: Unknown → New
CSRedRat (csredrat) wrote :

What not in 12.10?

dfrg.msc (dfrg-msc) wrote :

No 2.4 with 12.10, and how about 13.04?

Mark (cybericed) on 2013-03-26
affects: apache2 (Ubuntu) → raringautomatedsuggestions
marker (marker) wrote :

No 2.4 with 13.04, and how about 13.10?

If it doesn't make it into 14.04 I'm going to be ticked. No wonder everyone is using nginx... because in standard distributions, its competing against 2.2, not 2.4.

Changed in apache2 (Debian):
status: New → Fix Committed
Patrick Goetz (pgoetz) wrote :

2.4 is still not in 13.10...

Please can I urge packaging of 2.4 packaging as a matter of some urgency.

Without 2.4 (or at least 2.3), there is no SSLCipherSuite support for the ECDHE keys.
This means that we can either be vulnerable to BEAST, or sacrifice forward secrecy. This really isn't a good choice to have, and it means we are forced to accept at least one known vulnerability.

Otherwise, perhaps the ECDHE SSL cipher could be backported into 2.2 ?
Thanks.

Jeremy Bicha (jbicha) wrote :

apache2 2.4.4 has been uploaded to Ubuntu 13.10 Alpha "Saucy". It will take time and work to finish the transition though.

Changed in apache2 (Ubuntu):
importance: Undecided → Wishlist
status: New → Fix Committed
Jeremy Bicha (jbicha) on 2013-07-18
Changed in apache2 (Ubuntu):
status: Fix Committed → Fix Released
Changed in apache2 (Debian):
status: Fix Committed → Fix Released

I would like to see this patch included as well: https://issues.apache.org/bugzilla/show_bug.cgi?id=49559

This would allow for better Forward Secrecy Support without having a weak key exchange.

Ricalsin (rcs) wrote :

The ubuntu community's systematic approach to prevent unintended consequences is well conceived and implemented. But no one plan is flawless and every good plan should have a contingency. This thread documents a years worth of history showing a very important component getting hung up in a well-intentioned process; causing server security issues to persist, significant advances to not be implemented and a loss of marketshare to competitors. Please be open to discussing a contingency among the ubuntu core team.

Jeremy Bicha (jbicha) wrote :

Christoph, you'll need to file a separate bug for that issue.

Raring Ringtail (13.04) is no longer under development.

Changed in raringautomatedsuggestions:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.