October 11th, 2021
Now running Apache 2.4.51, PHP 7.4.24, OpenSSL 1.1.1l, and more
Posted at
02:34:39 PM by
froems
A lot of the software on the server had been out of date, so I took some time to upgrade a few things. Along the way, I had to install four new packages from slackware64-current that had not been part of the standard Slackware 14.2 install, those being the pam, krb5, libnsl, and nghttp2 packages.
I started by upgrading the Apache http server from 2.4.43 to 2.4.51 and then upgraded php from 7.4.8 to 7.4.24. These upgrades were compiled from source and were fairly straightforward.
Next, I upgraded to the openssl-1.1.1l package from slackware64-current. When I tried to use the new version, it immediately threw an error referencing a glibc 2.33 dependency. So I reverted the upgrade, upgraded to the glibc-2.33 package first, then upgraded to openssl-1.1.1l, and everything worked fine.
After that, I tried to upgrade OpenSSH from 8.2p1 to 8.3p1, which I had attempted to upgrade in the past without success. Based on errors I encountered, I determined that I needed to install pam-1.5.2 and krb5-1.19.2 from slackware64-current first, and then I could upgrade openssh-8.2p1 to openssh-8.3p1.
To upgrade all the way to the current OpenSSH package (8.8p1), I discovered yet another library dependency. So I first installed libnsl-1.3.0 from slackware64-current, and then upgraded openssh-8.3p1 to openssh-8.8p1. Finally, everything was working after all of these upgrades. The web server, PHP, OpenSSL, and OpenSSH were all running a current version.
The last package I installed from slackware64-current was nghttp2-1.45.1. It turns out that if you want to have access to the http module that enables http2, this package must be installed first. I installed the package, modified http.conf, and http2 was now working.
While I was in http.conf, I also made a few changes to disable some weak security ciphers and enabled mod_deflate to serve text in a compressed format. I also renewed the site's security certificates using a new 4096 bit RSA key.
With these changes, the system should be quite secure now, without sacrificing much in the way of performance.