centos 7 get latest apache package
As Aaron mentioned, package managers like yum will only apply security patches as they prioritise stability (with security) over new features.
So after you do a "yum update" you will be on a patched version of httpd 2.4.6 which should have all the required security patches right up to the latest httpd release (2.4.23 at time of writing) but none of the other non-security changes (e.g. http/2 support or any of the other features and bug fixes unless security related).
So it's not really 2.4.6 anymore, despite the name, but at same time it's definitely not 2.4.23 either.
You can confirm the patches have been applied by running this command (as detailed here):
rpm -q --changelog httpd | more
Or perhaps, to check for a specific CVE:
rpm -q --changelog httpd | grep CVE-Number
And the vulnerabilities fixed in each version of Apache httpd (which should be back ported within a short space of time by Red Hat/Centos) are here: https://httpd.apache.org/security/vulnerabilities_24.html or here: https://www.cvedetails.com/version-list/45/66/1/Apache-Http-Server.html
The best way to periodically install security updates is to do a "sudo yum update" regularly or consider installing yum-cron to do this for you. There is still some debate as to whether this should be fully automated in prod.
Admin
Updated on July 14, 2022Comments
-
Admin almost 2 years
This question comes from my lack of understanding of package managers, I run
yum listand gethttpd-2.4.6-40.el7.centos.4.x86_64Build date: Mon Jul 18 17:32:11 2016I did
yum update && yum install httpd, will this get me the latest version of httpd?where can I check online to confirm my package/build is the latest?
how can I periodically install security patches for my version of httpd?
update
[centos ~]$ httpd -v Server version: Apache/2.4.6 (CentOS) Server built: Jul 18 2016 15:30:14 [centos ~]$ rpm -q --changelog httpd | more * Mon Jul 18 2016 CentOS Sources <[email protected]> - 2.4.6-40.el7.centos.4 - Remove index.html, add centos-noindex.tar.gz - change vstring - change symlink for poweredby.png - update welcome.conf with proper aliases -
Admin over 7 yearsOk I am getting a better understanding thank you. I edited my question with some more output from my system. Looking at httpd.apache.org/security/vulnerabilities_24.html I see security patches from as recent as this December, my systems latest patch is from July 18th, 2016. Is this because my version of httpd does not need a patch for the version listed on the above url?
-
Barry Pollard over 7 yearsOK you've included the header which is the first part of the output, but below that it should also list all security patches it has applied and from what date, including the CVE numbers where appropriate. So does this answer your question? -
Admin over 7 yearsYeah I completely understand now, i just needed to be spoon feed the answer. Shortly after reading your response I was able to confirm that latest patch on httpd.apache.org matches the latest entry in the changelog, looking at affects: ... made me realize that updates are version dependent.