Apache 2.2 EOL – What Is Red Hat’s Story For RHEL6?

Home » CentOS » Apache 2.2 EOL – What Is Red Hat’s Story For RHEL6?
CentOS 9 Comments

Hi folks,

I have been googling for a few weeks now and not finding anything. Apache 2.2 is EOL at the end of this year.

Has Red Hat announced a plan yet on what they are doing in RHEL6?

I am assuming they will up-version from 6.9 to 6.10 and as part of that upgrade from Apache 2.2 to Apache 2.4 ?

thanks,
-Alan

9 thoughts on - Apache 2.2 EOL – What Is Red Hat’s Story For RHEL6?

  • I’d assume they’re just going to make their own fixes, since 2.4 is not a compatible upgrade for many apps, e.g. anything relying on mod_perl.

    We ended up needing to do a major rework of our mod_perl based application to make it run on CentOS 7 as a result.

  • RHEL 6 is in Production Stage 3 where only security fixes will be done to packages. In the past that has meant that no upgrades etc are done in the final Prod 3 releases and backports of high level security fixes are done. So I don’t expect any sort of upgrade.

  • I would be really surprised if they wouldn’t be among the main contributors already (if not the main contributor) – or at least have staff that are very familiar with the source.

  • I don’t have any official knowledge, but I would suspect that they will maintain httpd-2.2 throughout the lifetime of RHEL6. Security issues would be backported. (If older versions of RHEL are any indication)

  • The basic problem is though that there won’t be any security fixes for 2.2
    How can they back port something that does not exist?

    Or do you mean you think they’ll try to port a fix in 2.4 back to 2.2?
    Not even sure that will be possible.

    Is there some way to get an official statement from RHEL on this?
    Like if I bought a licensed copy of RHEL and used it to open a support case or something like that?

  • Yes they have engineers who, when a CVE is discovered, will analyse if it applies to the httpd shipped in RHEL and if there is an issue will write their own patch (if there is no longer an upstream to directly backport from).

    So long as you use the httpd shipped in RHEL/CentOS you will be protected against all known CVEs that get discovered – of course ensuring that mitigating factors such as selinux being enforce also assists with protection from many/most vulnerabilities in something like httpd.

    You will want to read up on:

    https://access.redhat.com/support/policy/updates/errata/

    and possibly:

    https://access.redhat.com/articles/rhel-top-support-policies

    and certainly:

    https://access.redhat.com/security/updates/backporting

    So yes if there is a security issue found in the httpd 2.2 shipped with EL6
    after December of this year RHEL engineers will develop a patch to mitigate/fix it and include it in their build of httpd they ship.

  • Red Hat will provide security updates to whatever solution that they have in RHEL-6 until end of life .. that is what they do and why their Enterprise Linux has subscription costs .. see:

    https://access.redhat.com/security/updates/backporting

    The CentOS Project, on the other hand, does not make any security claims of any kind for CentOS Linux at all. We rebuild whatever source code Red Hat releases for RHEL and the user must make sure it meets any security requirements they have.