Certain operating systems (OS) are delivering patches back to older versions of the OS when the software needs to be updated. This is done as the older versions of the OS are still supported but only receives minor and critical updates.
For example, Apache2 on Debian 8 can receive a minor patch version delivered to address a vulnerability. While Apache2 on latest Debian 10 would receive the official patched version from Apache2 as it is the latest supported version running.
This concept is known and referred to as backported patches. Simply the official patches for the software is backported to an older version to address a common issue or vulnerability.
Security Center automatically scans and performs analysis by taking backported patches into account for the most known software and OS that provides this concept. The list of backported patches is maintained by Holm Security and continuously updated when we have identified new backported patched versions being available.
This feature can't be turned off and is by default enabled on all scans carried out through the platform.
When backported versions have been identified there is automatically an INFO level vulnerability created with information about what software that was identified and how it was impacted by the backported logic.
For example a version 2.1.32 of Apache2 could be re-mapped internally to version 2.1.99 by the backported logic to avoid impacting the result as a false-positive. This is all visible in the INFO level vulnerability which you can find by searching for "backported". Hence you might see the version 2.1.99 on certain vulnerabilities which is then the result of the backported logic and won't impact the result in a negative way.
Example of softwares receiving backported patches:
- Apache Tomcat
Example of operating systems using backported patches:
- Oracle Linux/Solaris
- Mac OS X