Kwan Lowe wrote:
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell lesmikesell@gmail.com wrote:
What's the correct response to a security scan that points out that apache versions below 2.2.14 have multiple known vulnerabilities? Is there an official document about what known vulnerabilities have been fixed in the RHEL/CentOS updates or do you have to wade through the changelog to try to find each thing?
The upstream vendor backports many fixes. The best thing to do is reference the CVE number in the changelogs. It's still wading through a lot of changelogs, but with the CVE you can find it pretty quickly.
Googling the CVE # and the vendor will usually turn up the patched version or disposition quickly.
Depending on the assessment tool and how bright it is, you can adjust the settings for a more thorough scan that may reduce false positives.
Others can actually be set up to ssh into the box and verify patches.