> If you look at the changelog for httpd (rpm -q --changelog httpd), you
> can see which CVEs are addressed by the backported patches to 2.2.3.
Maybe... after several months that may be the case. I wouldn't give
Redhat more than 2.5 stars for expediting patching zero-day exploits in
the wild.
For PCI compliance scanners, one is probably better off obfuscating the
version string by adding:
ServerTokens Prod
...and then, if the scanner is half a loaf, it will attempt to exploit any
known CVEs independent of the discovered version string.
~BAS
_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list