Recently I need to care a lot of false positive vulnerabilities in scanner results on Apache version. Example of false positive vulnerability:
Apache 2.2 < 2.2.16 Multiple Vulnerabilities
Our customers run scanners and they check Apache version related to the official Apache version numbering.
We use Centos, and the Apache version numbering is different from the official Apache version numbering.
For example now we install httpd-2.2.15-26.el6.centos.x86_64
and it includes all security patches released by Apache in recent versions.
The Centos Apache version numbering relies on the RedHat Apache version numbering and they do not change the base number (httpd-2.2.15) each update.
But scanners do not “understand” this and check that 2.2.15 < 2.2.16
.
Can you point me to the good document that explains the RedHat Apache version numbering?
Do you know if exist scanner that “understand” the RedHat Apache version numbering?