Re: [CentOS] security compliance vs. old software versions

29 Jun 2010

      On Tue, Jun 29, 2010, Brian Mathis wrote:
...
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell lesmikesell@gmail.com wrote:
...
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities?  Is
there an official document about what known vulnerabilities have been
fixed in the RHEL/CentOS updates or do you have to wade through the
changelog to try to find each thing?
--
  Les Mikesell
   lesmikesell@gmail.com
Have them read this:
http://www.redhat.com/security/updates/backporting/?sc_cid=3093
If you're dealing with an auditor, that should be all they need as at
least they can write down that you've made a conscious decision based
on that information.
That's assuming the auditor can read, which seems doubtful
considering what I've found with Securityfocus and similar PCI
testing outfits.
Bill
-- 
INTERNET:   bill@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

Financial panics, if left alone, rarely cause much damage to the real
economy, output, employment or production. Asset values fall sharply and
wipe out those who borrowed and lent too much, thereby redistributing
wealth from the foolish to the prudent.  -- Arthur Laffer

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [CentOS] security compliance vs. old software versions