[CentOS] Apache 2.2 EOL - what is Red Hat's story for RHEL6?
James Hogarth
james.hogarth at gmail.com
Wed Sep 13 13:57:54 UTC 2017
On 13 September 2017 at 14:10, Alan McKay <alan.mckay at gmail.com> wrote:
> > I don't have any official knowledge, but I would suspect that they will
> > maintain httpd-2.2 throughout the lifetime of RHEL6. Security issues
> > would be backported. (If older versions of RHEL are any indication)
>
> The basic problem is though that there won't be any security fixes for 2.2
> How can they back port something that does not exist?
>
> Or do you mean you think they'll try to port a fix in 2.4 back to 2.2?
> Not even sure that will be possible.
>
> Is there some way to get an official statement from RHEL on this?
> Like if I bought a licensed copy of RHEL and used it to open a support
> case or something like that?
>
Yes they have engineers who, when a CVE is discovered, will analyse if it
applies to the httpd shipped in RHEL and if there is an issue will write
their own patch (if there is no longer an upstream to directly backport
from).
So long as you use the httpd shipped in RHEL/CentOS you will be protected
against all known CVEs that get discovered - of course ensuring that
mitigating factors such as selinux being enforce also assists with
protection from many/most vulnerabilities in something like httpd.
You will want to read up on:
https://access.redhat.com/support/policy/updates/errata/
and possibly:
https://access.redhat.com/articles/rhel-top-support-policies
and certainly:
https://access.redhat.com/security/updates/backporting
So yes if there is a security issue found in the httpd 2.2 shipped with EL6
after December of this year RHEL engineers will develop a patch to
mitigate/fix it and include it in their build of httpd they ship.
More information about the CentOS
mailing list