Andile Ntebe <ANtebe@Acceleration.biz> writes: > Hi > > Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22. > > The below vulnerabilities seem to affect this version: You seem not to have noticed that Debian fixes security issues in stable versions of our packages, so you're comparing the version that Apache would tell you is vulnerable without noticing the faxes that have been applied since then by the Debian security team. I suggest that you take your list of CVEs and see if any of them are not mentioned as having been fixed in the Debian changelog: http://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13+deb7u4_changelog (I'm guessing that if you've been upgrading as hard as you can, and still have 2.2.22 then you're using Debian 7, a.k.a "wheezy" -- look in /etc/debian_version where you should see "7.8") Anyway, you need to note that the Debian version of Apache that you are running is not 2.2.22, but rather 2.2.22-13+deb7u4, so that is the 13th version of the package that's been built by the package maintainer, many of which added fixed for CVEs, taking us to version 2.2.22-13, followed by four more uploads that backport fixes to Debian 7 (deb7u1..deb7u4) each of which adds more CVE fixes. Upgrading to the latest version of something to fix security bugs carries with it the potential to introduce new unexpected behaviours, and that may result in things breaking, which is why we backport security fixes instead of just asking everyone to upgrade and hoping for the best. ... > Is there a way for us to update to the latest version? There certainly is -- you can choose to run our testing or unstable branches, rather than stable, but hopefully now you know why you should not be fretting about this. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature