Menu

#98 Check for RedHad/CentOs backported security patches based on cve data

main
closed-wont-fix
John Horne
None
5
2014-09-07
2013-11-11
vasos
No

version 1.3.4 (not latest but shipped with third party panel on production)
OS: CentOs 6.4 x64

RkHunter reports

Warning: Application 'httpd', version '2.2.15', is out of date, and possibly a security risk.

But according to RedHad Backporting policy (security patches from latest versions are backported to the older versions without breaking interoperability), the application vulnerability should be checked based on the cve patches applied and not the software version.

Discussion

  • John Horne

    John Horne - 2013-11-11

    The warning comes from the 'apps' test. I personally do not recommend the test for the simple reason that it is impossible to keep it up to date. We would have to check the application versions on all the UNIX and Linux distributions, and ensure that any we whitelisted were patched for all those distributions. (E.g '2.2.15' on CentOS may be okay, but on Debian it might not be.) I would suggest just disabling the test.

     

  • John Horne

    John Horne - 2013-11-11
    • status: open --> closed-wont-fix
    • assigned_to: John Horne
     

  • David Sommerseth

    David Sommerseth - 2014-09-02

    I know I'm beating an old horse. But the package maintainers could add APP_WHITELIST to the default config it installs, using the stable and security fixed version numbers their distro uses. I suggest reporting this to the package maintainers instead.

     

  • John Horne

    John Horne - 2014-09-07

    Yup, feel free to suggest it to the package maintainers.

     

Log in to post a comment.