On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell <lesmikesell at gmail.com> wrote: > What's the correct response to a security scan that points out that > apache versions below 2.2.14 have multiple known vulnerabilities? Is > there an official document about what known vulnerabilities have been > fixed in the RHEL/CentOS updates or do you have to wade through the > changelog to try to find each thing? > > -- > Les Mikesell > lesmikesell at gmail.com Have them read this: http://www.redhat.com/security/updates/backporting/?sc_cid=3093 If you're dealing with an auditor, that should be all they need as at least they can write down that you've made a conscious decision based on that information.