Apache Security Patches on CentOS / RHEL
By Pete Freitag
Those familiar with RedHat Enterprise Linux (RHEL) or CentOS servers may notice that when you update a Apache (or most any other package) on a RedHat / CentOS based server it still reports the same version number. This is because RedHat backports security updates, so the main version of Apache does stay the same and only the security fixes are patched.
This makes the platform more stable because it cuts down on incompatibilities between components, but if you have compliance requirements (eg PCI Compliance) you can't just look at the version number to see if you are all patched.
So how do I know if I have the latest Apache Security Patches
Apache publishes their security fixes on their site, you can find the list of security vulnerabilities in Apache 2.2.x here. If you don't want to check the site every day you can use something like stack.watch to follow apache http server vulnerabilities. It will send you an email when new vulnerabilities are published.
Looking at the list as of this writing, you will see that the Apache 2.2.25 has the most recent security fixes, and patched two issues: CVE-2013-1862 and CVE-2013-1896.
Also at the time of this writing a CentOS 6.4 server will report Apache 2.2.15 as the version number. So how do I know what security patches have been applied to the version of Apache that RedHat is maintaining? Run the following command:
rpm -q --changelog httpd
This will output a lot of stuff, but look towards the top and you will see:
* Fri Aug 02 2013 Jan Kaluza - 2.2.15-29 - mod_dav: add security fix for CVE-2013-1896 (#991368) * Mon Apr 29 2013 Joe Orton - 2.2.15-28 - mod_rewrite: add security fix for CVE-2013-1862 (#953729)
So, in order to show that you have applied the latest security hotfixes / patches for Apache you need to compare the Changelog to the security vulnerabilities page on the Apache's site.
You can monitor security vulnerabilities in RedHat Enterprise Linux (RHEL) here
Apache Security Patches on CentOS / RHEL was first published on November 22, 2013.
If you like reading about apache, httpd, security, centos, pci, or rhel then you might also like:
- Limiting what htaccess files can do in Apache
- Fixing Apache (13)Permission denied: access to / 403 Forbidden
- 20 ways to Secure Apache Configuration
- Why is my Apache httpd Alias Not Working?
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).