I have a website hosted on an Amazon AMI Linux instance.
We had a PCI Scan recently and we failed the scan because we have Apache 2.2.23 installed, and apparently it contains vulnerabilities that have been since fixed on 2.2.24.
I did a sudo yum update but after checking the apache version using httpd -v it still reports 2.2.23. A yum info httpd also confirms that the repository version is 2.2.23
Is there any way to force yum to update to the latest version or to add a custom repository pointing to the latest apache release? I am a developer and I don't have a lot of experience hosting on linux, so I am a little bit stumped as to what to do.
Any tips will be appreciated, thanx!
Best Answer
Take a step back. The PCI scanner is blindly relying on version numbers and isn't taking into account that the vendor (which is eventually Red Hat) backports patches. Find out the exact vulnerability (get the CVE) and then use
rpm -q --changelog httpd(or go to http://cve.mitre.org/cve/cve.html and https://access.redhat.com/security/updates/ ) to see if the fix has been backported. It is annoying to do; thank your lazy PCI QSA for the work.I strongly recommend against installing from source. It breaks package management and you now become responsible for keeping apache up to date which is more annoying than verifying the backporting of fixes.