2.6.32-358.23.2.el6.i686
Centos 6.4 x64
PHP 5.3.3
httpd.i686 2.2.15-29.el6.centos

I have ran yum update several times - I am 100% up to date as far as the standard repos are concerned. I am aware that CentOS / RHEL releases backport security fixes for software packages - such as Apache and PHP. I am also aware that the nature of these backport fixes do not necessarily increment the PHP and Apache reported versions. That's perfectly understandable.

But there is a particular vulnerability that a PCI scan has identified on my web server: CVE-2011-3268
I know that PHP itself has addressed and patched this vulnerability. I need help determining the following three items:

1. How can I search CentOS / RHEL resources and discover when and what version of PHP or Apache was patched from vulnerability CVE-2011-xxxx?
2. Is it true as suggested here: https://bugzilla.redhat.com/show_bug.cgi?id=733744 -that CVE-2011-3268 DOES NOT EXIST in the versions of PHP that exist in the repositories of RHEL 4,5, or 6? I'm not sure I'm reading that correctly.
3. I looked in my own change log (i.e. rpm -q --changelog php) and see no mention of CVE-2011-3268. Does this mean it isn't patched, or does it mean the vulnerability does not exist?

Thank you very kindly.
-neodaemon

Then the method of the scan may be questionable. I've seen lots of companies just add any vulns to their report ad verbum and without determining if it is a false positive or not.


Prefix your CVE number with https://access.redhat.com/security/cve/: https://access.redhat.com/security/cve/CVE-2011-3268


Yes, you read that correctly. Also note the person writing the statement, Huzaifa S. Sidhpurwala (huzaifas.at.redhat.com), is a Security Engineer at Red Hat.


The RHEL statement on the CVE page reads "Not vulnerable." which is clear and does not invite or warrant interpretation.

Understood. Thank you very much for the reply unSpawn.

You're welcome.