Recently a security admin did an audit on one of our sites and came back to me telling me we needed to update our FreePBX box to php 7 and apache 2.4. I don’t like going outside of the distro repositories, and as far as I understand it that’s really how it’s supposed to be.
What should my response be to this request? Would it cause issues to upgrade those packages from web sources / custom repositories? I see Apache 2.4 is available in the RHSCL, but again that repository is not available in the distro by default.
To which the appropriate response is “why?”
Correct answers include “because they are the most current” and “because of the following CVE entries.”
In general, though, your response will have to be something along the lines of “the distribution we are using is locked down and the services we require in the distribution require these versions of PHP and Apache.”
Upgrading for the sake of upgrading is a fool’s method for security. As users of these distributions, we are on a stable version of the system and have, in fact, run through many security audits with the existing system. The system upgrades as a system, so unless they have some specific vulnerability, your response should be a “supportive No”.
One thing you will also want to look into is Red Hat back-ports security releases, without bumping the release number. So you may already be okay, read this article for details: https://access.redhat.com/security/updates/backporting/?sc_cid=3093
This is a BS audit. All they do is look for CVEs and say PHP version blah has these vulnerabilities but Red Hat back ports all security vulnerabilities into their version of PHP and apache and hence they make their way into Centos and us and everyone else based on RHEL. This is a audit firm who doesn’t understand backports. Have them prove a vulnerability exist with a exploit.