This question comes from my lack of understanding of package managers, I run yum list and get httpd-2.4.6-40.el7.centos.4.x86_64

https://rpmfind.net/linux/RPM/centos/updates/7.2.1511/x86_64/Packages/httpd-2.4.6-40.el7.centos.4.x86_64.html

Build date: Mon Jul 18 17:32:11 2016

I did yum update && yum install httpd, will this get me the latest version of httpd?

where can I check online to confirm my package/build is the latest?

how can I periodically install security patches for my version of httpd?

update

[centos ~]$ httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Jul 18 2016 15:30:14

[centos ~]$ rpm -q --changelog httpd | more
* Mon Jul 18 2016 CentOS Sources <bugs@centos.org> - 2.4.6-40.el7.centos.4
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases

As Aaron mentioned, package managers like yum will only apply security patches as they prioritise stability (with security) over new features.

So after you do a "yum update" you will be on a patched version of httpd 2.4.6 which should have all the required security patches right up to the latest httpd release (2.4.23 at time of writing) but none of the other non-security changes (e.g. http/2 support or any of the other features and bug fixes unless security related).

So it's not really 2.4.6 anymore, despite the name, but at same time it's definitely not 2.4.23 either.

You can confirm the patches have been applied by running this command (as detailed here):

rpm -q --changelog httpd | more

Or perhaps, to check for a specific CVE:

rpm -q --changelog httpd | grep CVE-Number

And the vulnerabilities fixed in each version of Apache httpd (which should be back ported within a short space of time by Red Hat/Centos) are here: https://httpd.apache.org/security/vulnerabilities_24.html or here: https://www.cvedetails.com/version-list/45/66/1/Apache-Http-Server.html

The best way to periodically install security updates is to do a "sudo yum update" regularly or consider installing yum-cron to do this for you. There is still some debate as to whether this should be fully automated in prod.

I have found a great repository with latest packages for Nginx and Apache server provided by these guys CodeIT

I described the installation process in my blog post. Feel free to refer to it to get more details.

https://crosp.net/blog/administration/install-latest-apache-server-centos-7/

yum uses only the repositories it is configured to use; not just any RPM on the internet. That would be dangerous. If you have an up-to-date version of CentOS, they will release security updates for httpd. Once installed, a yum update will bring in patches.

CentOS is an Enterprise-level OS. They don't always have the "latest and greatest." You'll see they will stay with the same version, e.g. 2.4, but apply patches to it. The next major release of the OS would then have a more current version, e.g. 3.x. There are few exceptions, like Firefox, where they will stay with the ESR versions.