[CentOS] Need httpd / apache RPM > 2.2.3 for 5.3

Sat Aug 29 21:17:08 UTC 2009
Alexander Dalloz <ad+lists at uni-x.org>

Alan McKay schrieb:
> OK, here is the interesting part :-)
> 
> I'm new here as of about 4 months ago, and I just asked some coworkers
> why we went with 2.2.10 instead of the 2.2.3 that comes with CentOS
> 
> Apparently at the time we'd been having some problems with mod_perl
> crashing (and still are in fact - I'm working on it slowly but
> surely), and we'd hired an outside consulting company to help out with
> it.  Their first comment was that 2.2.3 was "extremely buggy" and that
> we should definitely not go with it.  So that's what we did.  The
> newest release at the time was 2.2.10 and that's where we are.

And the problem you have is that you still stick with release 2.2.10 -
regardless of any security issue. Nobody has cared to update.

Check yourself

http://apache.mirror.clusters.cc/httpd/CHANGES_2.2

for occurances of "SECURITY" and CVE numbers since the release of 2.2.10.

If you really run 2.2.10 since the days of those glorious consultants
you webserver has several security holes.

Going with what CentOS ships, even if the package number indicates an
older release, you have the advantage that the upstream takes care for
security fixes by backporting.

[ ... ]

> thanks,
> -Alan

Best regards

Alexander