Issue
This question comes from my lack of understanding of package managers,
I run yum list and get httpd-2.4.6-40.el7.centos.4.x86_64
Build date: Mon Jul 18 17:32:11 2016
I did yum update && yum install httpd, will this get me the latest version of httpd?
where can I check online to confirm my package/build is the latest?
how can I periodically install security patches for my version of httpd?
update
[centos ~]$ httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Jul 18 2016 15:30:14
[centos ~]$ rpm -q --changelog httpd | more
* Mon Jul 18 2016 CentOS Sources <[email protected]> - 2.4.6-40.el7.centos.4
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases
Solution
As Aaron mentioned, package managers like yum will only apply security patches as they prioritise stability (with security) over new features.
So after you do a "yum update" you will be on a patched version of httpd 2.4.6 which should have all the required security patches right up to the latest httpd release (2.4.23 at time of writing) but none of the other non-security changes (e.g. http/2 support or any of the other features and bug fixes unless security related).
So it's not really 2.4.6 anymore, despite the name, but at same time it's definitely not 2.4.23 either.
You can confirm the patches have been applied by running this command (as detailed here):
rpm -q --changelog httpd | more
Or perhaps, to check for a specific CVE:
rpm -q --changelog httpd | grep CVE-Number
And the vulnerabilities fixed in each version of Apache httpd (which should be back ported within a short space of time by Red Hat/Centos) are here: https://httpd.apache.org/security/vulnerabilities_24.html or here: https://www.cvedetails.com/version-list/45/66/1/Apache-Http-Server.html
The best way to periodically install security updates is to do a "sudo yum update" regularly or consider installing yum-cron to do this for you. There is still some debate as to whether this should be fully automated in prod.
Answered By - Barry Pollard