Apache Security Patches on CentOS / RHEL

November 22, 2013

Those familiar with RedHat Enterprise Linux (RHEL) or CentOS servers may notice that when you update a Apache (or most any other package) on a RedHat / CentOS based server it still reports the same version number. This is because RedHat backports security updates, so the main version of Apache does stay the same and only the security fixes are patched.

This makes the platform more stable because it cuts down on incompatibilities between components, but if you have compliance requirements (eg PCI Compliance) you can't just look at the version number to see if you are all patched.

So how do I know if I have the latest Apache Security Patches

Apache publishes their security fixes on their site, you can find the list of security vulnerabilities in Apache 2.2.x here.

Looking at the list as of this writing, you will see that the Apache 2.2.25 has the most recent security fixes, and patched two issues: CVE-2013-1862 and CVE-2013-1896.

Also at the time of this writing a CentOS 6.4 server will report Apache 2.2.15 as the version number. So how do I know what security patches have been applied to the version of Apache that RedHat is maintaining? Run the following command:

rpm -q --changelog httpd

This will output a lot of stuff, but look towards the top and you will see:

* Fri Aug 02 2013 Jan Kaluza - 2.2.15-29
- mod_dav: add security fix for CVE-2013-1896 (#991368)

* Mon Apr 29 2013 Joe Orton - 2.2.15-28
- mod_rewrite: add security fix for CVE-2013-1862 (#953729)

So, in order to show that you have applied the latest security hotfixes / patches for Apache you need to compare the Changelog to the security vulnerabilities page on the Apache's site.

Like this? Follow me ↯

You might also like:

2 people found this page useful, what do you think?

Post a Comment


Foundeo Inc.