Update Apache to 2.4

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/939300/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

Status changed to 'Confirmed' because the bug affects multiple users.

From a security point of vue, we have no preference between 2.2 and 2.4.

Of course, having 2.4 go into a stable LTS immediately after it's released may not be recommended from a maintenance and stability point of vue.

Well, it would be odd to release an LTS with an aged webserver. The first year won't be an issue, but after that first year, Ubuntu Precise is just like Debian.. Running behind. :)

I agree with both #3 and #4, its a question of whats the best compromise, whether its too late in the release cycle, and if not, what is the procedure to do fast track in a key change in a controlled and successful way.
This issue is obviously much more important for the server edition.

As regards #1, its unclear to me how to assign this bug to a specific release or package.

I think this is very important for businesses who rely on LTS release cycles. We are currently running 10.04 LTS and will upgrade to 12.04 LTS before year's end. For our proxies, the feature set of Apache 2.4 is important to us. If 12.04 LTS launches with Apache 2.2 it may be reluctant to upgrade to 2.4 mid-cycle. If it were to push for a 2.4 inclusion in the 12.04 LTS launch, it can address bugs and such during the lifespan of 12.04 LTS.

http://www.linuxstall.com/apache-2-4-released/
I think it should be added to 12.04. If anyone worries about any security issues of Apache HTTP server 2.4, he/she can postpone upgrading to Ubuntu 12.04 until he/she thinks it's OK. Besides, if you worry about security issues in the early release of Apache HTTP server 2.4, how can you install Ubuntu 12.04? It isn't even released yet so is even younger than Apache HTTP server 2.4. Thus I don't think you can install Ubuntu 12.04 soon after its release anyway if you can't install Apache 2.4 because it's too young to install. It's also too bad to wait for 2.4 for about two more years as this version seems to have a huge improvement.

Why can't both be included in the LTS? There could be a package named apache-2.2 and one named apache-2.4.

I hope apache-2.4 will be added to 12.04. The missing OCSP Support in apache-2.2 for the next 5 Years will force Users to install apache-2.4 from Source.
Like apreche in #8 I prefer including both apache-2.2 and apache-2.4 Packages in 12.04.

For what it's worth, I'd also like to have apache 2.4 in 12.04 LTS.

I hope apache 2.4 will make it in 12.04. It will last at least 2 years on our server, so please give it a chance.

We need it too in 12.04

It looks like it won't be possible to simply ship an apache2-2.4 package in parallel since the ABI has changed which means that all modules etc. had to be shipped in an -2.4 version as well: http://lists.debian.org/debian-devel-announce/2012/03/msg00013.html

Well,

in my eyes it was definitely a wrong decision to ship a 2012 long time distribution with an old and outdated web server.

The first problem is that an LTS server ubuntu should last 5 years, but you cannot expect a software to be maintained that long if it is already outdated right now.

The second problem is that if someone needs apache 2.4 - which, after all, is not just some unimportant tool but a core server component - he has to mix in other packets and thus break the integrity of the ubuntu system.

Very bad decision.

It's not necessarily a bad decision to ship without 2.4. 2.4 was just released and to put it in an LTS distro right away would have been a bit rushed. We should be able to provide an apache-2.4 package and dependent modules that are named with the -2.4 as well. When the ABI changes, this seems to be common practice such as with php4 and php5 modules. If Apache 2.4 won't be supported in the near future, we'll probably be looking elsewhere for our proxies, whether pulling from another repo or going with a different distro altogether.

Apache 2.4 has big benefit - support for TLS 1.1 and 1.2. Old version supports only SSL2, SSL3 and TLS 1.0 that are vulnerable to BEAST attack.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html

Here's the Debian Apache2.4 transition bug: http://bugs.debian.org/661958

The Debian developers have ran out of time to get Apache 2.4 into the next Debian release, Wheezy. There are a large number of modules that need to be fixed for 2.4 so I doubt that this transition would even happen before Ubuntu 13.04.

What not in 12.10?

No 2.4 with 12.10, and how about 13.04?

No 2.4 with 13.04, and how about 13.10?

If it doesn't make it into 14.04 I'm going to be ticked. No wonder everyone is using nginx... because in standard distributions, its competing against 2.2, not 2.4.

2.4 is still not in 13.10...

Please can I urge packaging of 2.4 packaging as a matter of some urgency.

Without 2.4 (or at least 2.3), there is no SSLCipherSuite support for the ECDHE keys.
This means that we can either be vulnerable to BEAST, or sacrifice forward secrecy. This really isn't a good choice to have, and it means we are forced to accept at least one known vulnerability.

Otherwise, perhaps the ECDHE SSL cipher could be backported into 2.2 ?
Thanks.

apache2 2.4.4 has been uploaded to Ubuntu 13.10 Alpha "Saucy". It will take time and work to finish the transition though.

I would like to see this patch included as well: https://issues.apache.org/bugzilla/show_bug.cgi?id=49559

This would allow for better Forward Secrecy Support without having a weak key exchange.

The ubuntu community's systematic approach to prevent unintended consequences is well conceived and implemented. But no one plan is flawless and every good plan should have a contingency. This thread documents a years worth of history showing a very important component getting hung up in a well-intentioned process; causing server security issues to persist, significant advances to not be implemented and a loss of marketshare to competitors. Please be open to discussing a contingency among the ubuntu core team.

Christoph, you'll need to file a separate bug for that issue.

Raring Ringtail (13.04) is no longer under development.