Update Apache to 2.4

Bug #939300 reported by SeanBoran
310
This bug affects 63 people
Affects Status Importance Assigned to Milestone
Automated Suggestions for Raring Ringtail
Invalid
Wishlist
Unassigned
apache2 (Debian)
Fix Released
Unknown
apache2 (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

I'm not sure where the right place to add this suggestion is,
but it would be great if the new Apache 2.4 could make into the new Ubuntu LTS release ..

https://blogs.apache.org/foundation/entry/the_apache_software_foundation_celebrates
http://httpd.apache.org/docs/2.4/new_features_2_4.html

Thanks,
Sean

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/939300/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Revision history for this message
Launchpad Janitor (janitor) wrote : Re: precise 12.04: consider adding Apache 2.4 ?

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
Robert Roth (evfool)
tags: added: needs-packaging
Changed in ubuntu:
importance: Undecided → Wishlist
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

From a security point of vue, we have no preference between 2.2 and 2.4.

Of course, having 2.4 go into a stable LTS immediately after it's released may not be recommended from a maintenance and stability point of vue.

Revision history for this message
Mark Schouten (mark-prevented) wrote :

Well, it would be odd to release an LTS with an aged webserver. The first year won't be an issue, but after that first year, Ubuntu Precise is just like Debian.. Running behind. :)

Revision history for this message
SeanBoran (sean-boran) wrote :

I agree with both #3 and #4, its a question of whats the best compromise, whether its too late in the release cycle, and if not, what is the procedure to do fast track in a key change in a controlled and successful way.
This issue is obviously much more important for the server edition.

As regards #1, its unclear to me how to assign this bug to a specific release or package.

Revision history for this message
Nicholas Partridge (nmp0906) wrote :

I think this is very important for businesses who rely on LTS release cycles. We are currently running 10.04 LTS and will upgrade to 12.04 LTS before year's end. For our proxies, the feature set of Apache 2.4 is important to us. If 12.04 LTS launches with Apache 2.2 it may be reluctant to upgrade to 2.4 mid-cycle. If it were to push for a 2.4 inclusion in the 12.04 LTS launch, it can address bugs and such during the lifespan of 12.04 LTS.

Revision history for this message
Kevin (kevinshlee) wrote :

http://www.linuxstall.com/apache-2-4-released/
I think it should be added to 12.04. If anyone worries about any security issues of Apache HTTP server 2.4, he/she can postpone upgrading to Ubuntu 12.04 until he/she thinks it's OK. Besides, if you worry about security issues in the early release of Apache HTTP server 2.4, how can you install Ubuntu 12.04? It isn't even released yet so is even younger than Apache HTTP server 2.4. Thus I don't think you can install Ubuntu 12.04 soon after its release anyway if you can't install Apache 2.4 because it's too young to install. It's also too bad to wait for 2.4 for about two more years as this version seems to have a huge improvement.

Revision history for this message
Apreche (apreche) wrote :

Why can't both be included in the LTS? There could be a package named apache-2.2 and one named apache-2.4.

Revision history for this message
Benjamin Baumer (bbaumer-abm) wrote :

I hope apache-2.4 will be added to 12.04. The missing OCSP Support in apache-2.2 for the next 5 Years will force Users to install apache-2.4 from Source.
Like apreche in #8 I prefer including both apache-2.2 and apache-2.4 Packages in 12.04.

Revision history for this message
Chris Vigelius (chris-vigelius) wrote :

For what it's worth, I'd also like to have apache 2.4 in 12.04 LTS.

Revision history for this message
MaikL (news4maikl) wrote :

I hope apache 2.4 will make it in 12.04. It will last at least 2 years on our server, so please give it a chance.

Revision history for this message
Thomas E. Deutsch (tdeutsch) wrote :

We need it too in 12.04

Revision history for this message
Malte S. Stretz (mss) wrote :

It looks like it won't be possible to simply ship an apache2-2.4 package in parallel since the ABI has changed which means that all modules etc. had to be shipped in an -2.4 version as well: http://lists.debian.org/debian-devel-announce/2012/03/msg00013.html

Revision history for this message
Hadmut Danisch (hadmut) wrote :

Well,

in my eyes it was definitely a wrong decision to ship a 2012 long time distribution with an old and outdated web server.

The first problem is that an LTS server ubuntu should last 5 years, but you cannot expect a software to be maintained that long if it is already outdated right now.

The second problem is that if someone needs apache 2.4 - which, after all, is not just some unimportant tool but a core server component - he has to mix in other packets and thus break the integrity of the ubuntu system.

Very bad decision.

Revision history for this message
Nicholas Partridge (nmp0906) wrote :

It's not necessarily a bad decision to ship without 2.4. 2.4 was just released and to put it in an LTS distro right away would have been a bit rushed. We should be able to provide an apache-2.4 package and dependent modules that are named with the -2.4 as well. When the ABI changes, this seems to be common practice such as with php4 and php5 modules. If Apache 2.4 won't be supported in the near future, we'll probably be looking elsewhere for our proxies, whether pulling from another repo or going with a different distro altogether.

Revision history for this message
Ragimiri (ragimiri) wrote :

Apache 2.4 has big benefit - support for TLS 1.1 and 1.2. Old version supports only SSL2, SSL3 and TLS 1.0 that are vulnerable to BEAST attack.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html

Revision history for this message
Jeremy Bicha (jbicha) wrote :

Here's the Debian Apache2.4 transition bug: http://bugs.debian.org/661958

The Debian developers have ran out of time to get Apache 2.4 into the next Debian release, Wheezy. There are a large number of modules that need to be fixed for 2.4 so I doubt that this transition would even happen before Ubuntu 13.04.

affects: ubuntu → apache2 (Ubuntu)
summary: - precise 12.04: consider adding Apache 2.4 ?
+ Update Apache to 2.4
Jeremy Bicha (jbicha)
tags: added: upgrade-software-version
removed: needs-packaging
Changed in apache2 (Debian):
status: Unknown → New
Revision history for this message
CSRedRat (csredrat) wrote :

What not in 12.10?

Revision history for this message
dfrg.msc (dfrg-msc) wrote :

No 2.4 with 12.10, and how about 13.04?

Mark (cybericed)
affects: apache2 (Ubuntu) → raringautomatedsuggestions
Revision history for this message
MarkJ (marker) wrote :

No 2.4 with 13.04, and how about 13.10?

If it doesn't make it into 14.04 I'm going to be ticked. No wonder everyone is using nginx... because in standard distributions, its competing against 2.2, not 2.4.

Changed in apache2 (Debian):
status: New → Fix Committed
Revision history for this message
Patrick Goetz (pgoetz) wrote :

2.4 is still not in 13.10...

Revision history for this message
RichardNeill (ubuntu-richardneill) wrote :

Please can I urge packaging of 2.4 packaging as a matter of some urgency.

Without 2.4 (or at least 2.3), there is no SSLCipherSuite support for the ECDHE keys.
This means that we can either be vulnerable to BEAST, or sacrifice forward secrecy. This really isn't a good choice to have, and it means we are forced to accept at least one known vulnerability.

Otherwise, perhaps the ECDHE SSL cipher could be backported into 2.2 ?
Thanks.

Revision history for this message
Jeremy Bicha (jbicha) wrote :

apache2 2.4.4 has been uploaded to Ubuntu 13.10 Alpha "Saucy". It will take time and work to finish the transition though.

Changed in apache2 (Ubuntu):
importance: Undecided → Wishlist
status: New → Fix Committed
Jeremy Bicha (jbicha)
Changed in apache2 (Ubuntu):
status: Fix Committed → Fix Released
Changed in apache2 (Debian):
status: Fix Committed → Fix Released
Revision history for this message
Christoph_vW (christoph-apiviewer) wrote :

I would like to see this patch included as well: https://issues.apache.org/bugzilla/show_bug.cgi?id=49559

This would allow for better Forward Secrecy Support without having a weak key exchange.

Revision history for this message
Ricalsin (rcs) wrote :

The ubuntu community's systematic approach to prevent unintended consequences is well conceived and implemented. But no one plan is flawless and every good plan should have a contingency. This thread documents a years worth of history showing a very important component getting hung up in a well-intentioned process; causing server security issues to persist, significant advances to not be implemented and a loss of marketshare to competitors. Please be open to discussing a contingency among the ubuntu core team.

Revision history for this message
Jeremy Bicha (jbicha) wrote :

Christoph, you'll need to file a separate bug for that issue.

Revision history for this message
Jared Fernandez (jared-fernandez) wrote :

Raring Ringtail (13.04) is no longer under development.

Changed in raringautomatedsuggestions:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.