A security vulnerability was found in Apache in April 2012 that is a PCI compliance issue: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0883
I have always kept my servers (CentOS) up to date with yum. I've been unable to find a repo with httpd-2.2.23 (currently running 2.2.22). It's been a really long time since I've built anything from source so I'm not thrilled about doing it but will if needed.
My question is, how do I go about this and NOT break the yum update process?
TD
You have nothing to do to your server.
According to Red Hat, the versions of Apache shipped with RHEL (and by extension, CentOS) are not vulnerable to this attack.
You do need to provide this information to your PCI compliance auditor.
Don't change anything.
Red Hat (and by extension, CentOS) gets security fixes backported from newer versions, instead of upgrading to newer versions wholesale and potentially introducing compatibility problems.
In this case, there's no backport because the packaged version is not vulnerable. See here; this result from the scan is a false positive.
Raw version number matching for vulnerability checking is often inaccurate; consider changing to
ServerTokens Prod.Backup your apache config files, uninstall httpd , httpd-devel and any other httpd package,then you can manually download rpm's from here.
And install it with yum or rpm.
Hope this helps!