No, that's the wrong approach. Version numbers cannot be compared, because both CentOS and Debian have backported later changes.
Instead, look at the change log for 2.4.25 and every prior version back to the version you have, for changes that are important to you, especially changes with a CVE number or tagged SECURITY. That gives you a list of changes you want to have. Then, focus on the changes that are likely to impact server operations, such as privelege escalation or denial of service. Then, look at the change log for the CentOS and Debian packages, looking for where they have backported the changes. For Debian you'll find this in /usr/share/doc/apache2/changelog.Debian.gz It is a complex process, which is why most people delegate it to CentOS and Debian security teams. And to answer your question; the particularly important risks that Internet-in-a-Box may face are all the SECURITY and CVE tagged changes in the 2.4 series change log; http://www.apache.org/dist/httpd/CHANGES_2.4 The most important one appears to be CVE-2016-8740 for a denial of service vulnerability. Risk is high if the server is accessed from the internet. Risk is medium if the server is accessed by local public wireless. Risk is low if the server is accessed by password protected wireless. -- James Cameron http://quozl.netrek.org/ _______________________________________________ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
