nickatnceas
commented
1 year ago We received UCSB security alerts for 8 of these servers which need to be reported back in <2 weeks before the servers are blocked, details in https://github.nceas.ucsb.edu/NCEAS/security/issues/121
We can avoid this if we either move off the PPA, or if the PPA is required, someone subscribes to the Apache security list and makes it priority to install security updates when released. It is much less effort to stick on the Ubuntu-supplied Apache packages and have them auto-installed (which we cannot do safely with the PPA since they sometimes release upgrades which break Apache).
@datadavev @taojing2002 do any of these servers require the third party Apache PPA? If not I can start moving them back to official packages.
Some servers are using Apache packages put out by a Debian developer which pushes out the latest Apache upstream releases. This gives us the latest features, but at the expense of security updates breaking installs: https://github.com/oerdnj/deb.sury.org/issues/1702
The Canonical-provided Apache packages provide 10 years of backported security updates (5 year free/5 year paid) which focus on not breaking Apache during updates.
The following servers are running the third party Apache ppa on Ubuntu 18.04 as of 2022-06-16:
Since these are Ubuntu 18.04 servers, and the free support period is ending in <10 months, it maybe be worth waiting to switch back to the Canonical Apache packages when upgrading to Ubuntu 20.04 (Apache 2.4.41) or 22.04 (Apache 2.4.52). The OS upgrade ticket is at https://github.nceas.ucsb.edu/NCEAS/Computing/issues/156