Originally Posted by chrism01
You do know that RHEL (& therefore Centos) don't keep upgrading the main pkg version nums, they just backport the necessary updates and adjust the release num instead eg
While I do understand the basic idea behind package an release numbers, I was not aware that they were not releasing new package numbers in conjunction with the software package. Thank you for clarifying this.
Can you tell me where on Red Hat's website I can find the details on what updates are included in their latest release of httpd-2.2.3-22.el5.centos.2 for example? Or perhaps on the CentOS website?
One concern here is that Apache released httpd 2.2.13 on 08-Aug-2009. The most recent release from Red Hat of 2.2.3-22.el5.centos.2 was on 14-Jul-2009. So I'm guessing they don't have the updates made on the 8th of August from Apache. My scan vendor is telling me this update is necessary.
Also. The sad part here is that there is no way for a PCI scan vendor to know if you have properly patched your system.
If I telnet into port 80 on a fully updated Centos 5.3 (Final) system, the version reported is "Server: Apache/2.2.3 (Red Hat)".
Now of course I have the option to go in and tell my vendor that I'm compliant and its a false positive. However, what happens if this disables the scan vendor from alerting when there's another update?
It seems to me that there is a certain amount of rooms for allowing a needed update to slip through the cracks. A system may go unpatched/unnoticed because the scan vendor is not alerting me.