Bob Boilard wrote:
Hello all,
I love CentOS, but I am seriously regretting selecting Centos 4.4 for my production hosting servers. The current situation with CentOS 4.4 and being stuck at Apache 2.0.52 is a huge problem because of the new requirements for the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI compliance scans. which means no ecommerce on any of these servers - MAJOR ISSUE. So my question to the community is: when are new Apache RPM's going to be released or at minimum a backported version that plugs these security holes so we can pass PCI scans. Apache 2.0.52 has some major issues that need to be dealt with?
Care to be specific what security holes are not patched on the latest httpd for CentOS 4.x ? As others have mentioned it sounds like a brain dead security scanner making stupid assumptions based on a version number.
From the looks of my CentOS 4.5 systems it appears the default CentOS
httpd config turns on ServerSignature. I'd be curious what the security scanner said if you turn that option off in httpd (assuming you haven't turned it off already).
http://httpd.apache.org/docs/2.0/mod/core.html#serversignature
A few years ago my company at the time ran into something similar, the app returned a HTTP/200 even for things that were essentially 404, so the automated security scanning service said we were vulnerable to just about every exploit under the sun, even though we were not, it was amusing at least. I don't know why the app returned HTTP/200 (it was a fairly complex tomcat/weblogic application), maybe just bad design, but the security scanner was just as bad looking for a HTTP/200 to determine if the security hole was present.
nate