Questions on how to upgrade Apache

Questions on how to upgrade Apache

[Andy Romens]

Hi Cygwin,

I got a question for you all. Our cyber security team is yelling at us to update Apache from 2.4.39 to 2.4.46. I have searched far and wide on the web to see if there is a way to do that, but so far nothing has turned up. Any idea on how to do this or if an updated package will get released soon-ish for Apache?

Thank you in advance,
-Andy

Questions on how to upgrade Apache

[Andy Romens]

Got bounced at first, trying just this email…
Hi Cygwin,

I got a question for you all. Our cyber security team is yelling at us to update Apache from 2.4.39 to 2.4.46. I have searched far and wide on the web to see if there is a way to do that, but so far nothing has turned up. Any idea on how to do this or if an updated package will get released soon-ish for Apache?

Thank you in advance,
-Andy

Re: Questions on how to upgrade Apache

[Andrey Repin]

Greetings, Andy Romens!

> I got a question for you all. Our cyber security team is yelling at us to
> update Apache from 2.4.39 to 2.4.46. I have searched far and wide on the web
> to see if there is a way to do that, but so far nothing has turned up. Any
> idea on how to do this or if an updated package will get released soon-ish for Apache?

Is there a reason you are using Cygwin build of Apache?
Can't you use native one?


-- 
With best regards,
Andrey Repin
Thursday, April 8, 2021 8:28:01

Sorry for my terrible english...

Questions on how to upgrade Apache

[Andy Romens]

Hi Cygwin (or whoever gets these, I just signed up),

I got a question for you all. I need to update Apache from 2.4.39 to 2.4.46. I have searched far and wide on the web to see if there is a way to do that, but so far nothing has turned up. Any idea on how to do this or if an updated package will get released soon-ish for Apache? Background info, we are running Cygwin on a Windows 2012 Server. Anything else, please let me know and I will investigate.

Thank you in advance,
-Andy

Re: Questions on how to upgrade Apache

[Stephen John Smoogen]

On Thu, 8 Apr 2021 at 10:02, Andy Romens via Cygwin <cygwin@cygwin.com>
wrote:

> Hi Cygwin (or whoever gets these, I just signed up),
>
> I got a question for you all. I need to update Apache from 2.4.39 to
> 2.4.46. I have searched far and wide on the web to see if there is a way to
> do that, but so far nothing has turned up. Any idea on how to do this or if
> an updated package will get released soon-ish for Apache? Background info,
> we are running Cygwin on a Windows 2012 Server. Anything else, please let
> me know and I will investigate.
>
>
It looks like the apache package is obsolete and orphaned currently. You
will need to compile a version of apache on the cygwin system itself to
update to a newer version.

https://cygwin.com/cygwin-pkg-maint



> Thank you in advance,
> -Andy
> --
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple
>


-- 
Stephen J Smoogen.

Re: Questions on how to upgrade Apache

[Andy Romens]

Is there something else Cygwin provides that I should use instead of Apache? Sorry for the elementary questions, I’m still quite new to this :)

Thanks,
-Andy

On Apr 8, 2021, at 8:33 AM, Stephen John Smoogen <smooge@gmail.com> wrote:




On Thu, 8 Apr 2021 at 10:02, Andy Romens via Cygwin <cygwin@cygwin.com<mailto:cygwin@cygwin.com>> wrote:
Hi Cygwin (or whoever gets these, I just signed up),

I got a question for you all. I need to update Apache from 2.4.39 to 2.4.46. I have searched far and wide on the web to see if there is a way to do that, but so far nothing has turned up. Any idea on how to do this or if an updated package will get released soon-ish for Apache? Background info, we are running Cygwin on a Windows 2012 Server. Anything else, please let me know and I will investigate.


It looks like the apache package is obsolete and orphaned currently. You will need to compile a version of apache on the cygwin system itself to update to a newer version.

https://cygwin.com/cygwin-pkg-maint<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcygwin.com%2Fcygwin-pkg-maint&data=04%7C01%7C%7C974b440d2d8d43145ea608d8fa9b53e0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637534892315307939%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xRsqjue73V2AxmL%2BZI8Kl0od0cTyMfehOMgZvsYlVL8%3D&reserved=0>


Thank you in advance,
-Andy
--
Problem reports:      https://cygwin.com/problems.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcygwin.com%2Fproblems.html&data=04%7C01%7C%7C974b440d2d8d43145ea608d8fa9b53e0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637534892315307939%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xiTeJ2o1RYYX5MMyyxZxCmH7Hv3aOabKJg3poP2TsJ8%3D&reserved=0>
FAQ:                  https://cygwin.com/faq/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcygwin.com%2Ffaq%2F&data=04%7C01%7C%7C974b440d2d8d43145ea608d8fa9b53e0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637534892315307939%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SphOgD%2FcuKF64kqJXU5K52bkFEn05lDb28EeZ90ul8w%3D&reserved=0>
Documentation:        https://cygwin.com/docs.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcygwin.com%2Fdocs.html&data=04%7C01%7C%7C974b440d2d8d43145ea608d8fa9b53e0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637534892315317892%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZXsQq3SzPJKdyxf79tT64wR9WppwOPLXyE7G%2FdT9QC8%3D&reserved=0>
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcygwin.com%2Fml%2F%23unsubscribe-simple&data=04%7C01%7C%7C974b440d2d8d43145ea608d8fa9b53e0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637534892315317892%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=maYw0s%2Bh9ZRhfmGqZ80LaMFLAUhK4DBomMdtn7VjNjE%3D&reserved=0>


--
Stephen J Smoogen.

Re: Questions on how to upgrade Apache

[Eliot Moss]

On 4/8/2021 11:49 AM, Andy Romens via Cygwin wrote:
 > Is there something else Cygwin provides that I should use instead of Apache?
 > Sorry for the elementary questions, I’m still quite new to this :)

No.  Cygwin, at its heart, is a Windows library (.dll file) that, when used,
provides a library call environment as close to POSIX (Linux, Unix) as it can,
given that Windows is not Unix.  Programs must be explicitly compiled to use
that library.  Sometimes that need adjustments (patches) to work correctly in
the environment.  Presumably all those patches that would be necessary for
previous version so Apache are in the source package for those previous
versions, and might be enough for building a new version as well.  As you are
probably aware, a number of commonly used Unix programs have been ported to
work under Cygwin.

Alternatively, you can use Windows-native programs and tools.  I personally am
not sure if Apache is available as a Windows-native download, etc.

There is also the Windows Subsystem for Linux, which runs a virtual machine
under which many Unix programs can be installed without modification.

Regards - Eliot Moss

Re: Questions on how to upgrade Apache

[René Berber]

On 4/8/2021 10:49 AM, Andy Romens via Cygwin wrote:

 > Is there something else Cygwin provides that I should use instead of
 > Apache? Sorry for the elementary questions, I’m still quite new to
 > this :)


nginx is an alternative (NGINX Open Source. The open source web server).

Cygwin is at version 1.14.2, current version is 1.19.9 (there's a 
Windows binary at nginx.org).
-- 
R.Berber

Re: Questions on how to upgrade Apache

[Glenn Strauss]

On Thu, Apr 08, 2021 at 11:37:13AM -0500, René Berber via Cygwin wrote:
> On 4/8/2021 10:49 AM, Andy Romens via Cygwin wrote:
> 
> > Is there something else Cygwin provides that I should use instead of
> > Apache? Sorry for the elementary questions, I’m still quite new to
> > this :)
> 
> 
> nginx is an alternative (NGINX Open Source. The open source web server).
> 
> Cygwin is at version 1.14.2, current version is 1.19.9 (there's a Windows
> binary at nginx.org).

lighttpd is also an alternative and is kept up-to-date in Cygwin by the
upstream lighttpd maintainer (me)

https://www.cygwin.com/packages/summary/lighttpd-src.html

Latest lighttpd release is lighttpd 1.4.59.
Latest lighttpd available in Cygwin is lighttpd 1.4.59.

Cheers, Glenn

Re: Questions on how to upgrade Apache

[bzs]

I upgrade apache from sources all the time tho not on cygwin, we use
Linux for that, but the basic idea is the same. My advice, having
looked over other advice here, and your responses:

1. You probably don't want to go to another web server like nginx just
for what you describe.

You would have to reconfigure your entire web server environment
including hosts, server certificates, dependent software (e.g., do
your sites use php?), etc. That can be much more work and subtlety
than just upgrading an apache dot release.

2. Although building apache from source is not very difficult there
are build configuration options and even dependent software (I dunno,
fastcgi, whatever) you would need to navigate.

If you could get the exact build configuration (./configure
...options) that cygwin uses that might make it a lot easier.

That result might "just work" since you're only trying to upgrade a
dot release.

But there may be other issues such as dependent software and
dynamically loaded modules. Fortunately the configuration files
(*.conf) between dot releases should just work, they don't change much
if at all for the releases you describe.

Given their configuration options it might be worth a try if you have
the time and testing environment.

3. But then the pottery shop rule would kick in, you break it, you own
it.

By which I mean where do you go forward from there? Future releases?

You will probably have to build from source forever or find some way
to backtrack back into the binary cygwin releases. For us building and
configuring from sources is fine but TBH on a scale of 1-10 I am an 11
on these things (pardon my modesty :-)).

4. Probably the best advice is:

a) examine why someone thinks you need to do this at all other than
they just like to run the latest and greatest. If it's security flaws
consider that errors in doing this from source or going to another
server entirely could be much more security-error-prone lacking
in-house expertise.

b) If they have such exotic and exacting requirements that they can't
tolerate being behind a few dot releases then they should be willing
to pay an expert to help them meet those requirements (no I'm not
available.)

In all seriousness and apologies to the cygwin crew who I love and
admire the very fact that you're running apache on cygwin makes me
think your requirements can't be too pie-in-the-sky, I'll guess you're
not running Amazon or Shopify etc.

c) Seriously consider a pre-built native Windows apache release.

That should pretty much drop-in and if that seems too difficult the
other options like building from source or switching to another server
will likely be much more difficult.

d) Apply to law school.

-- 
        -Barry Shein

Software Tool & Die    | bzs@TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Questions on how to upgrade Apache

[Brian S. Wilson]

[-- Attachment #1.1.1: Type: text/plain, Size: 1122 bytes --]

On 4/8/2021 1:30 AM, Andrey Repin wrote:

--

Please contact me if you have any questions or concerns.

Sincerely,

Brian S. Wilson
Primary: wilson@ds.net <mailto:wilson@ds.net> *(preferred)*
Secondary: wilson96@xfinity.com <mailto:wilson96@xfinity.com>
Tertiary: briansw@bellsouth.net <mailto:briansw@bellsouth.net>
Phone: +1 (678) 376-9258
Mobile: +1 (678) 232-9357
Address: 1900 Grouse Ct. Lawrenceville, GA 30044-6914

------------------------------------------------------------------------

*This message has been digitally signed as a security measure.*

------------------------------------------------------------------------
> Is there a reason you are using Cygwin build of Apache?
> Can't you use native one?
Perhaps he likes using a Posix like environment and can't use a native 
windows Apache installation.  I have a similar issue and used the Cygwin 
instance on an older Windows machine that wasn't much use for anything 
else.  It worked like a charm and could be used to easily test web site 
changes.  All the joy of Posix and no conversion from Windows native 
issues.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 671 bytes --]

[-- Attachment #1.1.3: wilson96.vcf --]
[-- Type: text/x-vcard, Size: 431 bytes --]

BEGIN:VCARD
VERSION:4.0
EMAIL;PREF=1:wilson@ds.net
EMAIL:wilson96@xfinity.com
FN:Brian Wilson
ORG:The Home Depot;Dev. Tools
TITLE:Senior Systems Engineer
N:Wilson;Brian;;;
ADR:;;2250 Newmarket Pkwy SE;Marietta;GA;30067;United States of America
TEL;TYPE=home;VALUE=TEXT:+1 (678) 376-9258
TEL;TYPE=cell;VALUE=TEXT:+1 (678) 232-9357
URL;VALUE=URL:https://homedepot.com
UID:6d506c0e-6284-4e39-9c45-df7a649c804c
END:VCARD

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

RE: Questions on how to upgrade Apache

[KAVALAGIOS Panagiotis (EEAS-EXT)]

> -----Original Message-----
> From: Cygwin <cygwin-bounces@cygwin.com> On Behalf Of bzs
> Sent: 08 April 2021 9:54 PM
> Subject: Re: Questions on how to upgrade Apache
> 
> 
> c) Seriously consider a pre-built native Windows apache release.
> 
> That should pretty much drop-in and if that seems too difficult the other options like building from source or switching to
> another server will likely be much more difficult.

I would also endorse that option. We are using Apache Haus binaries:

https://www.apachehaus.com/cgi-bin/download.plx

and work fine. You have a normal Apache Web Server under Windows and the "httpd -k install" gives you a nice Apache2.4 Windows service as well. It is better to remove Cygwin's old Apache instance and install something like that until a maintainer takes over Apache again in Cygwin.

Panos

Application Architect
CONSULIAT (under contract with the EEAS)
BA.BS.3.IS
_____________________________________
Office: EEAS B100 Floor 5 Area 048
Rue Belliard 100, 1000 Brussels
Phone: +32 2 584 6017

Re: Questions on how to upgrade Apache

[Csaba Raduly]

Hi Andy,

On Tue, 6 Apr 2021 at 22:35, Andy Romens via Cygwin  wrote:
>
> Hi Cygwin,
>
> I got a question for you all. Our cyber security team is yelling at us to update Apache from 2.4.39 to 2.4.46.

If that website is customer-facing, your cyber security team and your
ops team should be yelling at you for running Apache on Cygwin.

If you want to run Apache on Windows, you would be much better served
by native Apache builds (as others have suggested) -
http://httpd.apache.org/docs/current/platform/windows.html#down

Csaba
-- 
You can get very substantial performance improvements
by not doing the right thing. - Scott Meyers, An Effective C++11/14 Sampler
So if you're looking for a completely portable, 100% standards-conformant way
to get the wrong information: this is what you want. - Scott Meyers (C++TDaWYK)

Re: Questions on how to upgrade Apache

[Brian S. Wilson]

[-- Attachment #1: Type: text/plain, Size: 1465 bytes --]


>> I got a question for you all. Our cyber security team is yelling at us 
to update Apache from 2.4.39 to 2.4.46.
> If that website is customer-facing, your cyber security team and your
> ops team should be yelling at you for running Apache on Cygwin.
>
> If you want to run Apache on Windows, you would be much better served
> by native Apache builds (as others have suggested) -
> http://httpd.apache.org/docs/current/platform/windows.html#down
>
> Csaba

In the past, I've used the Cygwin Apache instance for local testing when 
no Linux systems were available (i.e. old Windows hardware was all that 
was immediately available).  It gave us a good Posix like environment 
and allowed us to test the effects of various configurations with 
greater freedom, control, and much faster than we would otherwise have 
had if we were forced to go through the corporate bureaucracy and wait 
for web administrators, System Admins, purchaseing, setup, 
configuration, and networking of a real or virtual system (at that time 
Docker wasn't available to us either).

Windows based Apache installations are a good choice when possible, but 
they are not always the same as their Linux/Posix counterparts and if 
you are not concerned with the speed of execution (and you have only 
Windows based hardware available); but just with testing functionality, 
Cygwin offered a great way to setup a compatible environment with an 
Apache server.


[-- Attachment #2: wilson96.vcf --]
[-- Type: text/x-vcard, Size: 431 bytes --]

BEGIN:VCARD
VERSION:4.0
EMAIL;PREF=1:wilson@ds.net
EMAIL:wilson96@xfinity.com
FN:Brian Wilson
ORG:The Home Depot;Dev. Tools
TITLE:Senior Systems Engineer
N:Wilson;Brian;;;
ADR:;;2250 Newmarket Pkwy SE;Marietta;GA;30067;United States of America
TEL;TYPE=home;VALUE=TEXT:+1 (678) 376-9258
TEL;TYPE=cell;VALUE=TEXT:+1 (678) 232-9357
URL;VALUE=URL:https://homedepot.com
UID:6d506c0e-6284-4e39-9c45-df7a649c804c
END:VCARD

Re: Questions on how to upgrade Apache

[Brian Inglis]

On 2021-04-09 05:59, Brian S. Wilson via Cygwin wrote:
> 
>>> I got a question for you all. Our cyber security team is yelling at us 
> to update Apache from 2.4.39 to 2.4.46.
>> If that website is customer-facing, your cyber security team and your
>> ops team should be yelling at you for running Apache on Cygwin.
>>
>> If you want to run Apache on Windows, you would be much better served
>> by native Apache builds (as others have suggested) -
>> http://httpd.apache.org/docs/current/platform/windows.html#down
>>
>> Csaba
> 
> In the past, I've used the Cygwin Apache instance for local testing when no 
> Linux systems were available (i.e. old Windows hardware was all that was 
> immediately available).  It gave us a good Posix like environment and allowed us 
> to test the effects of various configurations with greater freedom, control, and 
> much faster than we would otherwise have had if we were forced to go through the 
> corporate bureaucracy and wait for web administrators, System Admins, 
> purchaseing, setup, configuration, and networking of a real or virtual system 
> (at that time Docker wasn't available to us either).
> 
> Windows based Apache installations are a good choice when possible, but they are 
> not always the same as their Linux/Posix counterparts and if you are not 
> concerned with the speed of execution (and you have only Windows based hardware 
> available); but just with testing functionality, Cygwin offered a great way to 
> setup a compatible environment with an Apache server.

Sounds like you might as well use another server as try to run Windows Apache, 
as it appears it may be limited, you may have issues getting it to run 
similarly, and you will still have to change the config.

It may be easier for you to migrate your configuration to a WSL, VM, or server 
Linux Apache install than any alternative.

You may want to first try installing cygport and the apache source package, and 
try to build 2.4.39 as is, using cygport from the directory containing the .cygport:

	$ cygport httpd.cygport download all check

then if that succeeds, bump the version in the .cygport to 2.4.46, and rerun.

If you have some local Linux expertise, they can probably help you with any 
difficulties you may encounter, and you can post to this list.

For a new release, you may also have to reconsider the patches to be applied for 
the new version, available like the originals from the Fedora package repo for 
the current version, see:

https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/httpd.git;a=blob;f=httpd.cygport

linking to:

https://src.fedoraproject.org/rpms/httpd/tree/main

Get those who are yelling at you to put their effort where their mouths are, by 
explaining and helping you to decide, which patches you need to apply to the new 
version and why, and/or mitigations they or you may want to put in place.

The big mouths are yelling at you as it is easier for them if you do their jobs 
for them by upgrading, than explaining the mitigations they have to put in 
place, and those you have to make, to continue running your current version.

An effective tactic for dealing with such big mouths is to explain to your boss 
what you are using Apache for, why you are using the Cygwin package of it, the 
effort and impact of you working on upgrading Cygwin, or migrating to a 
different web server including Windows Apache, and what that means in terms of 
your group goals.

Then have a meeting with the big mouths and their boss, so your boss can explain 
the impact to their boss, and ask what the big mouths can do to mitigate the 
current situation, and ask what they can do to help you to move the situation 
forward.

If they want you to migrate to their supported web server, ask them to provide 
resources to replicate your current configuration features in their environment, 
so you can limit the time you and your group have to waste on the migration.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]