steph b wrote: > I recently audit my company and see in the server response the http server > version (eg for debian buster : apache v2.4.38). > > 1st I know that : this response must not contain this information.
ServerSignature Off ServerTokens Prod > 2nd When i search CVE about this version, i have a list of them here : > https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-278546/Apache-Http-Server-2.4.38.html > > Because i'm just a student, when i saw all this CVE, i wrote in my report > "Update this apache version" but i was surprised to learn that the version > was already uptodate ! > > So that is my question : > > How to know exactly if this package is already update ? > > I have seen in you FAQ: https://www.debian.org/security/faq#version > > But for apache2, the command i know are : > > > apache2 -v or httpd -v > > Who return: Server version: Apache/2.4.38 (Debian) > > > But how to compare exactly the version, or how to know which security patch > are applied or missed for this package ? zless "/usr/share/doc/apache2/changelog.Debian.gz" The changelog will include appropriate CVEs. -dsr-
