Problem Description
You're told by either software you're running or security scanning software that something on your server is old and/or insecure. Here are some common examples:
- cURL: You receive a notification or warning from Yoast for WordPress or WooCommerce that indicates you have an outdated version of cURL. The error message may look similar to this: "Your server has an outdated version of the PHP module cURL (Version: 7.19.7). Please ask your hosting company to update this to a recent version of cURL. [...] (looks like 7.19.7 is 7.8 years old)"
- OpenSSH: PCI or other Security Scanners indicate that the OpenSSH version you're running is too old and not patched against vulnerabilities
Problem Resolution
These warnings and errors are misunderstandings about how versioning works on stable server environments. They can be safely ignored.
Backporting: AlmaLinux and CentOS are the operating systems we run on all of our servers. They are considered the most well-tested and stable enterprise-grade Linux operating systems, used for hosting most of the world's websites. In order to ensure that newer versions of software don't break your applications that might rely upon them working the same way over time, rather than upgrading the software to the latest version, the AlmaLinux and CentOS development teams will painstakingly take all new security patches applied to the latest releases of the software and back-port them to the version originally installed on the operating system, keeping the major version number the same, and only adjusting the package number. This ensures that major changes to the software that frequently come with major version changes do not bring down the software running on the server (which might be expecting different behaviour from the older version of the software) and is therefore an incredibly important methodology to maintain stability over time.
Versioning: The major version of the software always stays the same, but the build number changes. For example, CentOS 6.7 uses OpenSSL Version : 1.0.1e but has a Release version of 30.el6_6.7. The number 30 is the specific version that the CentOS devs have released of 1.0.1e for their OS and that number represents all of the patches they've backported from newer versions of OpenSSL like 1.0.2 and 1.1.
As a result of this packaging methodology, external scanners will always show software as being out of date because they either don't see that release version or aren't smart enough to determine the difference.
Shared Hosting & VPS with Hands-On Support: Rest assured that as part of our security regimen, we update all system packages with the latest patched versions on a regular basis. You may not see a major version change, but minor adjustments to the versioning system in the back-end apply the same security patches as newer versions of software also receive. If you actually require newer features from the newer versions of cURL (or other software with the same situation), we suggest looking into obtaining a VPS where you can override stable system packages however you would like!
VPS Without Hands-On Support: If you are operating your own VPS, ensuring you're running the latest security patches is as simple as updating the operating system. For example, if you operating system is CentOS, run yum update. Then check all system services to ensure everything is running smoothly.
Note that even after updating system packages, you will not have the very latest version of the software. Instead you will have the same version, but an updated release as provided by the operating system's developers. See the Backporting and Versioning info above.
You should report this to your security scanner and inform them that their scanner should take this into account.
