0

I have installed RHEL 9.4, which is the latest version of RHEL available. The IT department found multiple vulnerabilities in the installed Apache software 2.4.57. From the official website, the latest version of Apache available for RHEL 9.4 is version 2.4.57.

How can I install a later version (e.g. >2.4.62) to fix the vulnerabilities? or what should I do if I cannot install a newer version?

1

1 Answer 1

3

Part of the (social) contract stable or enterprise distributions have with their users is stability. Not as in not crashing, but as in things not changing. What you set up today, will still run and be secure in ten years, if that's the support period.

This means that they can't change Apache versions. That would break things for customers, and customers that pay for stability tend to be annoyed when they don't get it.

What Red Hat and others do is to backport fixes. When a vulnerability is discovered, they will figure out how to apply the fix to older versions. Apache project will generally only patch the latest version, but Ubuntu, Debian, Red Hat and others will backport it to the version they use.

Thus you can't look at the version number to determine what vulnerabilities are present. A good source for Red Hat is RHSA, which will tell you when a particular vulnerability is closed.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .