On 13 September 2017 at 14:10, Alan McKay alan.mckay@gmail.com wrote:
I don't have any official knowledge, but I would suspect that they will maintain httpd-2.2 throughout the lifetime of RHEL6. Security issues would be backported. (If older versions of RHEL are any indication)
The basic problem is though that there won't be any security fixes for 2.2 How can they back port something that does not exist?
Or do you mean you think they'll try to port a fix in 2.4 back to 2.2? Not even sure that will be possible.
Is there some way to get an official statement from RHEL on this? Like if I bought a licensed copy of RHEL and used it to open a support case or something like that?
Yes they have engineers who, when a CVE is discovered, will analyse if it applies to the httpd shipped in RHEL and if there is an issue will write their own patch (if there is no longer an upstream to directly backport from).
So long as you use the httpd shipped in RHEL/CentOS you will be protected against all known CVEs that get discovered - of course ensuring that mitigating factors such as selinux being enforce also assists with protection from many/most vulnerabilities in something like httpd.
You will want to read up on:
https://access.redhat.com/support/policy/updates/errata/
and possibly:
https://access.redhat.com/articles/rhel-top-support-policies
and certainly:
https://access.redhat.com/security/updates/backporting
So yes if there is a security issue found in the httpd 2.2 shipped with EL6 after December of this year RHEL engineers will develop a patch to mitigate/fix it and include it in their build of httpd they ship.