Problem/Motivation
Over in #2854817: Duplicate X-Content-Type-Options headers both with the value nosniff, we are trying to fix the X-Content-Type-Options
header from being duplicated. There are currently 2 approaches, one is rather hacky (unset + set), the other is more elegant (set the header only if empty). The second option relies on a directive that was added in Apache 2.4.7. Drupal currently does not specify a minimum version other than "2.x" on the requirements page.
Other than that, Apache 2.4.6 and below are ancient, unsupported, and those versions contain a number of known vulnerabilities. The 2.2.x branch was End-of-Lifed in January 2018.
Proposed resolution
Update the D8 (and D7) requirements to require at least Apache 2.4.7.
Remaining tasks
- Discuss if changing the requirement is acceptable;
- Update the documentation/requirements
User interface changes
None
API changes
None
Data model changes
None
Release note
Drupal 9 now requires Apache 2.4.7 or higher.
Comment | File | Size | Author |
---|---|---|---|
#16 | 3114079-16.patch | 528 bytes | johnwebdev |
Comments
Comment #2
mr.baileysComment #3
Liam MorlandI agree with specifying Apache 2.4.7 as the minimum version.
Comment #4
gisle+1 from me as well.
Comment #5
longwaveUnfortunately RHEL/CentOS 7 appear to ship with 2.4.6. I am not sure if the setifempty option has been backported to these packages.
Comment #6
xmacinfoIf this is only a recommendation, “specifying Apache 2.4.7 as the minimum version” is OK.
I would not want to see sites stop running because for various reasons they cannot update their Apache stack.
Comment #7
Liam MorlandThe preferred way of resolving #2854817: Duplicate X-Content-Type-Options headers both with the value nosniff would make it incompatible with Apache 2.4.6 and earlier. It would also be an easy fix to manually change the htaccess file to remove the incompatibility if someone is stuck for some reason. (How can someone be secure using such an old version?)
Comment #8
longwave@Liam Morland in the case of RHEL/CentOS, Red Hat backport all applicable security fixes but no new features.
Comment #9
longwaveJust tested and it looks like this is a no go on RHEL/CentOS 7 unfortunately. These distros are supported with security updates until 2024 - although it is worth noting that to run Drupal they already need additional PHP packages, as they only ship with PHP 5.4 out of the box.
Comment #10
Ghost of Drupal PastFor the sake of completeness: on the .deb side of the fence, everything is fine even Ubuntu 16.04 is 2.4.18 https://launchpad.net/ubuntu/xenial/+source/apache2 and the stable-before-oldstable Debian which still has support until this summer https://packages.debian.org/jessie/apache2 is 2.4.10
To give you an idea just how old this stuff is, XAMPP is a good example: when they went 2.4.7 six years ago they also shipped PHP 5.5 and MySQL 5.6. https://www.apachefriends.org/blog/news-article-232017.html
RHEL life cycles are a complex animal. https://endoflife.software/operating-systems/linux/red-hat-enterprise-li... If we take the End of Full Support, RHEL 7 is already dead and by the time 8.9 / 9.0 releases End of Maintenance Support 1 will also be practically upon us but if we wanted to support RHEL in all its stages then even RHEL 5.0 (!) is not fully out of support. Since you can't run an unchanged RHEL 7 already anyways, is it very ardous to require a newer Apache as well?
Comment #11
catchIt seems reasonable to me to require the lowest version that enables #3114079-7: Update minimum supported Apache version to >= 2.4.7 to be resolved. People on older versions aren't completely stuck - they can modify the .htaccess.
Comment #12
catchWe've been basing PHP and database requirements on the most recent LTS releases for things like RHEL and Debian, not the oldest ones still in support, so I think it's OK to require an upgrade (either of apache or distribution) for the very oldest cases.
RTBCing but also tagging to get an extra +/-1 from xjm before we change the docs. And adding various tags.
Comment #13
alexpottWe need a follow-up issue to make the code changes then.
update system_requirements()
has heaps of stuff about Apache 2.2.16...We also need to update \Drupal\Component\FileSecurity\FileSecurity::denyPublicAccess(), \Drupal\Composer\Plugin\VendorHardening\FileSecurity::denyPublicAccess and \Drupal\Composer\Plugin\VendorHardening\FileSecurity::denyPublicAccess as they have Apache 2.0-2.2 code. Or do we leave that it *just to be safe*?
And we need to update core/INSTALL.txt
It feels odd not having a patch on this issue.
Comment #14
catchActually removing code that supports older Apache versions I think we should do in a follow-up, but INSTALL.txt is probably in scope here.
Comment #15
Liam MorlandThere isn't a patch because all it is really doing is defining it to not be a bug if #2854817: Duplicate X-Content-Type-Options headers both with the value nosniff is fixed in a way that is incompatible with older Apache. system_requirements() could be made to test for the Apache version.
It would be valid to leave in the Apache 2.2 and 2.0 stuff on the basis that if you're using Apache 2.4, it needs to be >= 2.4.7, but older branches of Apache are still supported (though they are not supported by Apache, so they really ought not to be used).
Comment #16
johnwebdev CreditAttribution: johnwebdev commentedPatch that updates INSTALL.txt :)
Comment #17
longwaveThe issue is set to 8.9.x but this feels like something we shouldn't do until 9.0.x, right?
Comment #18
catchComment #19
Liam MorlandAfter exhaustive testing on multiple architectures, I can confirm the patch in #16.
Comment #20
alexpottI dunno but to have text that says the
to run Drupal without mod_rewrite, a minimum version of 2.2.16 is needed
is very odd if we're updating the minimum supported version to be 2.4.7.Comment #21
Liam MorlandI think we should resolve the policy question here and remove older Apache code in a child issue. That would immediately unblock the preferred solution to #2854817: Duplicate X-Content-Type-Options headers both with the value nosniff.
Comment #22
alexpottI've opened #3118714: Review apache specific code in light of requiring >= 2.4.7 to address my concerns in a follow-up.
Comment #23
catchAdded a CR and a release note, but the patch needs a re-roll.
Comment #25
catchDid that locally.
Committed c88513f and pushed to 9.0.x. Thanks!
Comment #27
isalmanhaider CreditAttribution: isalmanhaider as a volunteer commentedI installed the latest MAMP 5 on my mac, still apache is at 2.2 and I am getting this error while upgrading a D8 site to D9
How do I resolve this?
Issue: https://www.drupal.org/project/upgrade_status/issues/3145991
Comment #28
wxman CreditAttribution: wxman commentedI've been fighting with this problem for a while now. I'm on a CentOS server that uses Plesk as the controlling software. CentOS that installs with Plesk is CentOS 7.8.2003. It ships with a max Apache version of 2.4.6. So far I've got nothing but bad news regarding upgrading to 2.4.7. I have MariaDB upgraded to 10.x so that's no problem, and PHP is at 7.4, but I just don't know what else to do about my Apache version. Until it gets included in some future update, I can't move all my sites to D9.
EDIT: even though it says I have 2.4.6 the copy running on this version of CentOS has all the features backported from newer versions.
EDIT#2: I just found out that I can't do any third party upgrades on my server without violating my user license with Plesk. So I can't upgrade Drupal to 9 until CentOS itself includes a later version of Apache, or Plesk includes CentOS 8.
Comment #29
mikegodin CreditAttribution: mikegodin commentedPlease note that Red Hat Enterprise Linux 8 (RHEL8) is not approved for use on U.S. federal government servers (see https://access.redhat.com/articles/2918071) for compliance status, meaning that the latest version of RHEL that Federal users can upgrade to us RHEL7. The only version of Apache certified for use on RHEL7 is 2.4.6, and upgrading beyond this version on RHEL7 servers is strongly discouraged (unlike PHP and other requirements). Requiring 2.4.7 will effectively block all U.S. Federal web sites running RedHate Enterprise Linux from upgrading from Drupal 8 to Drupal 9. Even if RHEL8 gains approval for use on U.S. Federal government servers today, many of these sites will not be able to upgrade to RHEL8 before Drupal 8's EOL in November 2021 and will be forced to consider a different CMS.
Contrary to the OP's comment, Apache 2.4.6 in neither ancient not unmaintained, as it is actively updated and maintained by RedHat, who has back-ported all security updates (but not feature updates) into the release.
Update: I was able to replace the httpd package with httpd24-httpd from the officially supported Red Hat Software Collections (RHSCL) httpd24 repository without any issues on a few different RHEL7 machines. This upgraded the system to Apache 2.4.34, and the instructions to do so are well described here: https://unix.stackexchange.com/questions/138899
Comment #30
wxman CreditAttribution: wxman commentedThank you mikegodin #29. My server people agree that the 2.4.6 version we have will not be changed for quite a while. I've been able to upgrade, and fix everything else, so now the only hold up is a perfectly safe version of Apache.
Comment #31
jsidigital CreditAttribution: jsidigital commentedWe are running CentOS 7 with Apache 2.4.46 and had no problems upgrading to Drupal 9.
Apache 2.4.46 is the latest supported version to the date I posted this and most hosts out there do not support anything that is not the official latest version. Many hosts consider 2.4.7 as not yet official and will not carry it or offer support to sites running it.
Liquidweb mentioned that if Apache 2.4.7 is the minimum, then they do not support Drupal 9 sites.
However, they did mention that they have a sites running Drupal 9 with the latest Apache 2.4.46 with no issues.
Seems like the Apache 2.4.7 minimum is just a "recommendation"?
Comment #32
Liam MorlandThe preferred way of resolving #2854817: Duplicate X-Content-Type-Options headers both with the value nosniff would make it incompatible with Apache 2.4.6 and earlier. That is a major reason for defining this minimum.
On the other hand, some supported versions of Linux distributions included Apache 2.4.6 with security patches applied. So, people can be running a currently-supported Linux distribution and still have Apache 2.4.6.
Comment #33
jsidigital CreditAttribution: jsidigital commentedThat is a great point Liam.
I will double check with my host to see if they applied those patches.
Thank you.