False positives scanning Red Hat servers running Apache

[Clifford Collins <Collinsc () FRANKLIN EDU>]

I've recently been scanning some servers on our campus that have returned known vulnerabilities for Apache. I forwarded 
the results to our Linux systems administrator. He investigated the claims and declared them as false positives. His 
explanation was that Red Hat "backports" patches to stable versions rather than deploying the newer version because 
newer versions can introduce new features or changes that render an existing server non-functional.  He was also 
critical of the scanner for failing to detect the patches and relying on the reported version number from a web query.
 
Has anybody encountered this problem? Is there a solution or a product that can detect undeclared patches on a Red Hat 
server without actually doing a penetration test? Is there a query that will yield the patch level? Your suggestions 
and comments are welcome!
 
Clifford A. Collins
Network Security Administrator
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"