[CentOS] security compliance vs. old software versions

Wed Jun 30 00:55:02 UTC 2010
John Jasen <jjasen at realityfailure.org>

Kwan Lowe wrote:
> On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell <lesmikesell at gmail.com> wrote:
>> What's the correct response to a security scan that points out that
>> apache versions below 2.2.14 have multiple known vulnerabilities?  Is
>> there an official document about what known vulnerabilities have been
>> fixed in the RHEL/CentOS updates or do you have to wade through the
>> changelog to try to find each thing?
>>
> 
> The upstream vendor backports many fixes. The best thing to do is
> reference the CVE number in the changelogs. It's still wading through
> a lot of changelogs, but with the CVE you can find it pretty quickly.

Googling the CVE # and the vendor will usually turn up the patched
version or disposition quickly.

Depending on the assessment tool and how bright it is, you can adjust
the settings for a more thorough scan that may reduce false positives.

Others can actually be set up to ssh into the box and verify patches.

-- 
-- John E. Jasen (jjasen at realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire