Apache Security Patches on CentOS / RHEL
Those familiar with RedHat Enterprise Linux (RHEL) or CentOS servers may notice that when you update a Apache (or most any other package) on a RedHat / CentOS based server it still reports the same version number. This is because RedHat backports security updates, so the main version of Apache does stay the same and only the security fixes are patched.
This makes the platform more stable because it cuts down on incompatibilities between components, but if you have compliance requirements (eg PCI Compliance) you can't just look at the version number to see if you are all patched.
So how do I know if I have the latest Apache Security Patches
Apache publishes their security fixes on their site, you can find the list of security vulnerabilities in Apache 2.2.x here.
Looking at the list as of this writing, you will see that the Apache 2.2.25 has the most recent security fixes, and patched two issues: CVE-2013-1862 and CVE-2013-1896.
Also at the time of this writing a CentOS 6.4 server will report Apache 2.2.15 as the version number. So how do I know what security patches have been applied to the version of Apache that RedHat is maintaining? Run the following command:
rpm -q --changelog httpd
This will output a lot of stuff, but look towards the top and you will see:
* Fri Aug 02 2013 Jan Kaluza - 2.2.15-29 - mod_dav: add security fix for CVE-2013-1896 (#991368) * Mon Apr 29 2013 Joe Orton - 2.2.15-28 - mod_rewrite: add security fix for CVE-2013-1862 (#953729)
So, in order to show that you have applied the latest security hotfixes / patches for Apache you need to compare the Changelog to the security vulnerabilities page on the Apache's site.
- 20 ways to Secure your Apache Configuration - December 6, 2005
- Blocking .svn and .git Directories on Apache or IIS - October 15, 2013
- Fixing Apache (13)Permission denied: access to / 403 Forbidden - July 21, 2011
- Changing the ColdFusion CFIDE Scripts Location - January 10, 2011
- Announcing HackMyCF Paid Subscriptions - January 4, 2011
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained