Apache version


I’m running the latest version of Virtualmin with CentOS 6.2. We’re currently running an outdated version of Apache/httpd.

[root@website ~]# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Jan 5 2012 14:12:47
[root@website ~]#

As I can see, the latest version of Apache is 2.4.1

I understand that there are always slight incompatibilities between versions of software releases and that manufacturers don’t always compile with the latest version.

However, am I running the latest version supported by Virtualmin?

I just performed a scan with Acunetix, and got this which made me think about it.

Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.



You’re using the most recent version of Apache available to CentOS 6.

CentOS (and RHEL) release a given software version with their distribution, and then they backport bugfixes and security updates to that release.

So you’re using the same Apache version as the other CentOS 6 users out there, and it’s fully patched – there aren’t any know security holes in it.