[Server-devel] Apache 2.4.6 on CentOS and 2.4.10 on Debian/Raspbian
James Cameron
quozl at laptop.org
Thu May 25 21:42:53 EDT 2017
No, that's the wrong approach.
Version numbers cannot be compared, because both CentOS and Debian
have backported later changes.
Instead, look at the change log for 2.4.25 and every prior version
back to the version you have, for changes that are important to you,
especially changes with a CVE number or tagged SECURITY.
That gives you a list of changes you want to have.
Then, focus on the changes that are likely to impact server
operations, such as privelege escalation or denial of service.
Then, look at the change log for the CentOS and Debian packages,
looking for where they have backported the changes. For Debian you'll
find this in /usr/share/doc/apache2/changelog.Debian.gz
It is a complex process, which is why most people delegate it to
CentOS and Debian security teams.
And to answer your question; the particularly important risks that
Internet-in-a-Box may face are all the SECURITY and CVE tagged changes
in the 2.4 series change log;
http://www.apache.org/dist/httpd/CHANGES_2.4
The most important one appears to be CVE-2016-8740 for a denial of
service vulnerability.
Risk is high if the server is accessed from the internet.
Risk is medium if the server is accessed by local public wireless.
Risk is low if the server is accessed by password protected wireless.
--
James Cameron
http://quozl.netrek.org/
More information about the Server-devel
mailing list