Alan McKay schrieb:
OK, here is the interesting part :-)
I'm new here as of about 4 months ago, and I just asked some coworkers why we went with 2.2.10 instead of the 2.2.3 that comes with CentOS
Apparently at the time we'd been having some problems with mod_perl crashing (and still are in fact - I'm working on it slowly but surely), and we'd hired an outside consulting company to help out with it. Their first comment was that 2.2.3 was "extremely buggy" and that we should definitely not go with it. So that's what we did. The newest release at the time was 2.2.10 and that's where we are.
And the problem you have is that you still stick with release 2.2.10 - regardless of any security issue. Nobody has cared to update.
Check yourself
http://apache.mirror.clusters.cc/httpd/CHANGES_2.2
for occurances of "SECURITY" and CVE numbers since the release of 2.2.10.
If you really run 2.2.10 since the days of those glorious consultants you webserver has several security holes.
Going with what CentOS ships, even if the package number indicates an older release, you have the advantage that the upstream takes care for security fixes by backporting.
[ ... ]
thanks, -Alan
Best regards
Alexander