Kwan Lowe wrote: > On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell <lesmikesell at gmail.com> wrote: >> What's the correct response to a security scan that points out that >> apache versions below 2.2.14 have multiple known vulnerabilities? Is >> there an official document about what known vulnerabilities have been >> fixed in the RHEL/CentOS updates or do you have to wade through the >> changelog to try to find each thing? >> > > The upstream vendor backports many fixes. The best thing to do is > reference the CVE number in the changelogs. It's still wading through > a lot of changelogs, but with the CVE you can find it pretty quickly. Googling the CVE # and the vendor will usually turn up the patched version or disposition quickly. Depending on the assessment tool and how bright it is, you can adjust the settings for a more thorough scan that may reduce false positives. Others can actually be set up to ssh into the box and verify patches. -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire