[ars]

Please tell me you are joking.

The is no way you could possibly keep up with every vulnerability of everything installed on your server.

> If somebody breaks in and gets a local shell, all is lost anyway.

That is not true at all. You should run your server such that someone could get a shell running as the apache user - and still be able to do very little. They could read files and the database (which is bad), but not modify any files (which would be worse).

[foohbarbaz]

Of course I can and will keep up with every vulnerability for every service that is running and facing the Internet.

I do not accept the risk of waiting for some vendor to release a patch. If there's a hole, read the report, determine whether your config/build is vulnerable, rebuild.

Why would want to patch something you are not running or use?

[andrewflnr]

WRT local shells, it might well be a good idea to assume someone who got a shell as apache could use a privilege escalation 0-day and do some more damage. Hopefully your deployment process is such that starting from scratch isn't a huge hardship. I'd appreciate of someone with actual security experience (not me) weighed in...

[foohbarbaz]

It's very naive to think that you can protect a box from somebody with a local shell. Never worked.