Copy link to clipboard
Copied
We're using Windows Server 2008 R2 Enterprise and our security team has instructed us that we must update Flash and Apache on Adobe Media Server 5 Professional to take care of some security vulnerabilities. I'm wondering about two things:
First, is it necessary to have Flash installed? We don't do any kind of live encoding/broadcasts. Everything is vod. If it is necessary, what is the newest version of Flash we can update to if we're using Win Server 2008?
Second, we're running Apache 2.4.10 now. Will updating Apache to the newest version (2.4.23) break anything in AMS 5?
Copy link to clipboard
Copied
Having latest version of Flash player always helps..I guess FP is at version 23.0.0.173 as of now.
As for apache..AMS uses its own apache which is version 2.4.10 and is 64 bit...User are expected to have only one apache running on the machine and in case of AMS it should be the version of apache that is built into AMS...Although i theory you have have more than one apache running on the same machine., but that is generally not the practice. As far as the apache that comes with AMS is concerned, there are couple of adobe modules which are compiled with apache and in theory they are apache version dependent. We would recommend to people to use apache version that ships with AMS i.e version 2.4.10...Also note that one of the security components of apache is openssl(come into play if you use enable mod_ssl in apache configs). Adobe makes sure that our latest drop/dot release of AMS is always on one the latest versions of openssl. So if the security vulnerability is with regard to openssl..rest assured you have that fixed on form of latest version of openssl available inside Aapche. However if the vulnerability if within apache code, you will have to weigh the considerations yourself.
Copy link to clipboard
Copied
I checked apache changelog and found no critical/important/high bug/vulnerability fix between 2.4.10 and 2.4.23.
An issue was fixed in 2.4.23 for CVE-2016-4979. but then that is applicable only of one was already on Apache version 2.4.18 or higher...i.e does not affect Apache version 2.4.10