I understand that RedHat backport CVE fixes to Apache and PHP for CentOS as updates where the version number doesn't necessarily increase, and that I can get these fixes with yum update php
etc, so whilst looking at the version number it may appear to be vulnerable to CVE xyz but it could actually have the fixes. Please correct me if this is wrong.
How can I verify which CVE numbers are patched in my current PHP and Apache on a CentOS box?
You can look at the changelog to see what the packagers say they did:
and so on.
I suppose you can trust the packager to do what they said they did.
If not, you can grab the source RPM, unpack it, and look at the set of patches being applied to the source tarball as it builds.