apache-2.2centosPHPSecurity
I understand that RedHat backport CVE fixes to Apache and PHP for CentOS as updates where the version number doesn't necessarily increase, and that I can get these fixes with yum update php etc, so whilst looking at the version number it may appear to be vulnerable to CVE xyz but it could actually have the fixes. Please correct me if this is wrong.
How can I verify which CVE numbers are patched in my current PHP and Apache on a CentOS box?
You could try to extract the following packages on another host:
http://mirror.mirohost.net/centos/5.9/updates/x86_64/RPMS/rpm-4.4.2.3-32.el5_9.x86_64.rpm http://mirror.mirohost.net/centos/5.9/updates/x86_64/RPMS/rpm-libs-4.4.2.3-32.el5_9.x86_64.rpm
and then just copy binary files with scp/wget/rsync. I have tried on vmware workstations and all works fine
# yum erase rpm
Loaded plugins: fastestmirror
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package rpm.x86_64 0:4.4.2.3-32.el5_9 set to be erased
--> Processing Dependency: rpm = 4.4.2.3-32.el5_9 for package: rpm-python
--> Processing Dependency: rpm = 4.4.2.3-32.el5_9 for package: rpm-libs
--> Processing Dependency: rpm for package: man
--> Processing Dependency: rpm = 4.4.2.3-32.el5_9 for package: rpm-build
--> Processing Dependency: rpm = 4.4.2.3-32.el5_9 for package: rpm-devel
--> Processing Dependency: rpm >= 4.4.2 for package: yum
--> Running transaction check
---> Package man.x86_64 0:1.6d-3.el5 set to be erased
--> Processing Dependency: man >= 1.6d-2 for package: man-pages-overrides
---> Package rpm-build.x86_64 0:4.4.2.3-32.el5_9 set to be erased
---> Package rpm-devel.x86_64 0:4.4.2.3-32.el5_9 set to be erased
--> Processing Dependency: rpm-devel for package: net-snmp-devel
---> Package rpm-libs.x86_64 0:4.4.2.3-32.el5_9 set to be erased
--> Processing Dependency: librpm-4.4.so()(64bit) for package: net-snmp
--> Processing Dependency: librpmio-4.4.so()(64bit) for package: net-snmp
---> Package rpm-python.x86_64 0:4.4.2.3-32.el5_9 set to be erased
--> Processing Dependency: rpm-python for package: system-config-network-tui
---> Package yum.noarch 0:3.2.22-40.el5.centos set to be erased
--> Processing Dependency: yum >= 3.2.22 for package: yum-updatesd
--> Processing Dependency: yum >= 3.0 for package: yum-fastestmirror
--> Running transaction check
---> Package man-pages-overrides.noarch 0:5.9.2-2.el5 set to be erased
---> Package net-snmp.x86_64 1:5.3.2.2-20.el5 set to be erased
---> Package net-snmp-devel.x86_64 1:5.3.2.2-20.el5 set to be erased
---> Package system-config-network-tui.noarch 0:1.3.99.21-1.el5 set to be erased
--> Processing Dependency: system-config-network-tui for package: firstboot-tui
---> Package yum-fastestmirror.noarch 0:1.1.16-21.el5.centos set to be erased
---> Package yum-updatesd.noarch 1:0.9-5.el5 set to be erased
--> Running transaction check
---> Package firstboot-tui.x86_64 0:1.4.27.9-1.el5.centos set to be erased
--> Processing Dependency: /usr/bin/man for package: redhat-lsb
--> Processing Dependency: /usr/bin/man for package: redhat-lsb
--> Processing Dependency: /bin/rpm for package: policycoreutils
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package policycoreutils.x86_64 0:1.33.12-14.8.el5_9 set to be erased
--> Processing Dependency: policycoreutils >= 1.33.12-14.5 for package: selinux-policy-targeted
--> Processing Dependency: policycoreutils for package: sudo
--> Processing Dependency: policycoreutils for package: sudo
--> Processing Dependency: policycoreutils >= 1.33.12-14.5 for package: selinux-policy
--> Processing Dependency: policycoreutils for package: setools
---> Package redhat-lsb.i386 0:4.0-2.1.4.el5 set to be erased
---> Package redhat-lsb.x86_64 0:4.0-2.1.4.el5 set to be erased
--> Running transaction check
---> Package selinux-policy.noarch 0:2.4.6-338.el5 set to be erased
---> Package selinux-policy-targeted.noarch 0:2.4.6-338.el5 set to be erased
---> Package setools.x86_64 0:3.0-3.el5 set to be erased
---> Package sudo.x86_64 0:1.7.2p1-22.el5_9.1 set to be erased
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================================
Removing:
rpm x86_64 4.4.2.3-32.el5_9 installed 3.6 M
Removing for dependencies:
firstboot-tui x86_64 1.4.27.9-1.el5.centos installed 652 k
man x86_64 1.6d-3.el5 installed 354 k
man-pages-overrides noarch 5.9.2-2.el5 installed 181 k
net-snmp x86_64 1:5.3.2.2-20.el5 installed 2.8 M
net-snmp-devel x86_64 1:5.3.2.2-20.el5 installed 8.0 M
policycoreutils x86_64 1.33.12-14.8.el5_9 installed 2.1 M
redhat-lsb i386 4.0-2.1.4.el5 installed 21 k
redhat-lsb x86_64 4.0-2.1.4.el5 installed 22 k
rpm-build x86_64 4.4.2.3-32.el5_9 installed 1.5 M
rpm-devel x86_64 4.4.2.3-32.el5_9 installed 4.1 M
rpm-libs x86_64 4.4.2.3-32.el5_9 installed 2.0 M
rpm-python x86_64 4.4.2.3-32.el5_9 installed 131 k
selinux-policy noarch 2.4.6-338.el5 installed 7.9 M
selinux-policy-targeted noarch 2.4.6-338.el5 installed 33 M
setools x86_64 3.0-3.el5 installed 3.3 M
sudo x86_64 1.7.2p1-22.el5_9.1 installed 884 k
system-config-network-tui noarch 1.3.99.21-1.el5 installed 4.9 M
yum noarch 3.2.22-40.el5.centos installed 3.3 M
yum-fastestmirror noarch 1.1.16-21.el5.centos installed 47 k
yum-updatesd noarch 1:0.9-5.el5 installed 55 k
Transaction Summary
======================================================================================================================================================
Remove 21 Package(s)
Reinstall 0 Package(s)
Downgrade 0 Package(s)
Is this ok [y/N]: y
And then
# wget http://mirror.mirohost.net/centos/5.9/os/x86_64/CentOS/yum-3.2.22-40.el5.centos.noarch.rpm
# wget http://mirror.mirohost.net/centos/5.9/os/x86_64/CentOS/rpm-python-4.4.2.3-31.el5.x86_64.rpm
# wget http://mirror.mirohost.net/centos/5.9/os/x86_64/CentOS/yum-fastestmirror-1.1.16-21.el5.centos.noarch.rpm
# rpm -ivh --nodeps yum-3.2.22-40.el5.centos.noarch.rpm rpm-python-4.4.2.3-31.el5.x86_64.rpm yum-fastestmirror-1.1.16-21.el5.centos.noarch.rpm
Preparing... ########################################### [100%]
1:rpm-python ########################################### [ 33%]
2:yum-fastestmirror ########################################### [ 67%]
3:yum ########################################### [100%]
Check that all works fine
# yum install mc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.colocall.net
* epel: ftp.colocall.net
* extras: ftp.colocall.net
* rpmforge: ftp.colocall.net
* updates: centos.itt-consulting.com
base | 1.1 kB 00:00
epel | 3.6 kB 00:00
extras | 2.1 kB 00:00
rpmforge | 1.9 kB 00:00
updates | 1.9 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mc.x86_64 1:4.6.1a-35.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================================
Installing:
mc x86_64 1:4.6.1a-35.el5 base 2.1 M
Transaction Summary
======================================================================================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 2.1 M
Is this ok [y/N]:
Downloading Packages:
mc-4.6.1a-35.el5.x86_64.rpm | 2.1 MB 00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : mc 1/1
Installed:
mc.x86_64 1:4.6.1a-35.el5
Complete!
P.S After that don't forget to reinstall rpm via yum ;)
# yum install rpm
It's even worse... You're using an old, and third party PHP package. Who knows if they've ever updated it? It's certainly not likely that they've backported security fixes.
You really should update PHP to the latest available 5.4 or 5.5 version; if you're using the upstream build or a third party build, that's the only way you can really be sure. Which means you should probably also update the OS to the latest available version.
Best Answer
You can look at the changelog to see what the packagers say they did:
and so on.
I suppose you can trust the packager to do what they said they did.
If not, you can grab the source RPM, unpack it, and look at the set of patches being applied to the source tarball as it builds.