CentOS verify backported PHP and Apache fixes

I understand that RedHat backport CVE fixes to Apache and PHP for CentOS as updates where the version number doesn't necessarily increase, and that I can get these fixes with yum update php etc, so whilst looking at the version number it may appear to be vulnerable to CVE xyz but it could actually have the fixes. Please correct me if this is wrong.

How can I verify which CVE numbers are patched in my current PHP and Apache on a CentOS box?


Solution 1:

You can look at the changelog to see what the packagers say they did:

$ rpm -q --changelog httpd
* Sun Feb 12 2012 Johnny Hughes <[email protected]> - 2.2.15-15.1.el6.centos
- Roll in CentOS Branding

* Mon Feb 06 2012 Joe Orton <[email protected]> - 2.2.15-15.1
- add security fixes for CVE-2011-4317, CVE-2012-0053, CVE-2012-0031,
  CVE-2011-3607 (#787598)
- obviates fix for CVE-2011-3638, patch removed

and so on.

I suppose you can trust the packager to do what they said they did.

If not, you can grab the source RPM, unpack it, and look at the set of patches being applied to the source tarball as it builds.