RedHat who essentially provides to underlying code for CentOS uses a “backporting” model which works something like this.
Apache issues a new version of httpd to the public with patches, and new features.
RedHat doesn’t want “new features”, but identifies that new version has “security patches” which apply to the version they support, so they extract those updates and apply it to a new version of their maintained “httpd”, and release it to their community.
This model allows them to fix bugs, without introducing new features that have not yet been vetted for the current version of “httpd” they support.
They are likely to use software which identifies the version.
Yes I informed them of the back porting for security. So thats not the issue here… its the fact that all the recent exploits are not patched yet. It only goes back to January. There have been new ones this year.
I guess you failed to read their “mitigation” steps…
The bug doesn’t affect a system NOT using “mod_sed”, which is likely the case. You’d have to have added the “mod_sed” module to your installation for you to be affected by the CVE. Virtualmin does NOT come shipped with this module installed or enabled. Therefore the CVE in question does NOT affect your system.
No, I assumed its a software update that would fix it. So therefore this specific issue is not a software update, but a configuration change?
So are ALL the other security issues the same, they are not software updates but config changes? And so therefore httpd-2.4.6-97.el7 is the latest version with all available security patches? Then this list above is just changing server settings?
I have just checked a few of the issues and they all have mitigation by way of changing settings, e.g uninstalling openssh client. So maybe they are then.
If thats correct then the report I uploaded is deceiving, it implies the issues exist due to versions being less than it stated!
Thanks for your help in identifying this as I never noticed and just assumed it was software patches.
There are two ways to solve a security problem with a piece of software:
Update it to patch the bug.
Disable it, so the impacted code is not exposed, or otherwise mitigate it (isolation, change limits, whatever).
Peter pointed out that in the case of one of those issues, a default Virtualmin system is not vulnerable because we don’t use the module in question. If you didn’t install/enable that module, then you are also not vulnerable.
Mitigation and updates are not the same thing. They’re two ways to solve a security problem.
And, if you must use features/modules/etc. in Apache that are not patched in CentOS 7, you should consider upgrading to a newer OS. CentOS 7 is over six years old at this point, and it is, by policy, locked into using six+ year old versions of everything in the system.