steve nutt schreef:
For instance we have a SLOX 4.1 mail server that is based in part on Suse Enterprise Server 8.0 and United Linux that is running apache-1.3.26-163. Now this is a very old version of apache but what is the “163” exactly?
Nothing more than a serial number. Every time the 'apache-1.3.26' package is modified, the number goes up (not necessarily by one).
I need to know if this version is still vulnerable. How do I know what was fixed within this version, and for that matter earlier versions.
By using RPM: rpm -q --changelog apache-1.3.26 will tell you the history of this package.
Someone said the fix is back ported or something. What is backported mean.
It means that problems that a problem that is fixed in a later version, are fixed in a previous version. For example, 'apache-1.3.27' may fix some security problems in 'apache-1.3.26'. But it may also have new features or other things unrelated to security problems. Backporting means that the security fixes are included in the old version, but all other things are left like they are.
Why don’t they just upgrade to the newer version with the fix?
They usually don't, as other packages may depend on parts of that version. Upgrading to a new version will break those dependencies. Best regards, Arjen