Am 19.01.2017 um 08:22 schrieb Stefan Eissing:
Distros seem to have realized the problem long ago and make their own httpd versions. First time I realized my "httpd 2.4.7" is not the 2.4.7 release was a WTF moment.
no, that applies to LTS distros and in that case of nearly any piece of software and has nothing to do with httpd or the problems you are talking about
httpd-2.4.6-45.el7.centos.x86_64 mod_security-2.7.3-5.el7.x86_64 php-5.4.16-42.el7.x86_64: * Fr Aug 05 2016 Remi Collet <rcol...@redhat.com> - 5.4.16-42 - bz2: fix improper error handling in bzread() CVE-2016-5399 * Mo Aug 01 2016 Remi Collet <rcol...@redhat.com> - 5.4.16-41 - gd: fix integer overflow in _gd2GetHeader() resulting in heap overflow CVE-2016-5766 - gd: fix integer overflow in gdImagePaletteToTrueColor() resulting in heap overflow CVE-2016-5767 - mbstring: fix double free in _php_mb_regex_ereg_replace_exec CVE-2016-5768 * Fr Jul 22 2016 Remi Collet <rcol...@redhat.com> - 5.4.16-40 - don't set environmental variable based on user supplied Proxy request header CVE-2016-5385