[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When is a version above apache 2.4.10 going to release for Deb 8?

Thanks.  This is helpful.. Sadly though PCI-DSS compliance scanners look for the daemon version and when they see the vulnerable version it flags it without further checks.  It looks like there are many cve's that have not been corrected...  There are no change dates on anything listed either which also causes confusion. 

Best Regards,

John Gates, CISSP

Let’s Connect!


This email may contain information that is confidential or attorney-client privileged and may constitute inside information. The contents of this email are intended only for the recipient(s) listed above. If you are not the intended recipient, you are directed not to read, disclose, distribute or otherwise use this transmission. If you have received this email in error, please notify the sender immediately and delete the transmission. Delivery of this message is not intended to waive any applicable privileges.

On Sun, Nov 6, 2016 at 3:36 PM, Stefan Fritsch <sf@sfritsch.de> wrote:
On Sunday, 6 November 2016 09:27:18 CET John Gates wrote:
> I have a server that needs to stay PCIDSS compliant and it is complaining
> that apache 2.4.10 is running...  When is an update going to be
> available...  Do I have to compile my own Apache version?  Seems odd that
> stability is favored over security...  Please advise.

Debian back-ports individual security fixes, not complete new upstream
versions. See https://www.debian.org/security/faq#oldversion

An overview over the security issues that have been fixed in apache2 is
available via


Reply to: