2.6.32-358.23.2.el6.i686
Centos 6.4 x64
PHP 5.3.3
httpd.i686 2.2.15-29.el6.centos
I have ran yum update several times - I am 100% up to date as far as the standard repos are concerned. I am aware that CentOS / RHEL releases backport security fixes for software packages - such as Apache and PHP. I am also aware that the nature of these backport fixes do not necessarily increment the PHP and Apache reported versions. That's perfectly understandable.
But there is a particular vulnerability that a PCI scan has identified on my web server: CVE-2011-3268
I know that PHP itself has addressed and patched this vulnerability. I need help determining the following three items:
1. How can I search CentOS / RHEL resources and discover when and what version of PHP or Apache was patched from vulnerability CVE-2011-xxxx?
2. Is it true as suggested here:
https://bugzilla.redhat.com/show_bug.cgi?id=733744 -that CVE-2011-3268 DOES NOT EXIST in the versions of PHP that exist in the repositories of RHEL 4,5, or 6? I'm not sure I'm reading that correctly.
3. I looked in my own change log (i.e. rpm -q --changelog php) and see no mention of CVE-2011-3268. Does this mean it isn't patched, or does it mean the vulnerability does not exist?
Thank you very kindly.
-neodaemon