Johnny Hughes wrote:
Bob Boilard wrote:
Hello all,
I love CentOS, but I am seriously regretting selecting Centos 4.4 for my production hosting servers. The current situation with CentOS 4.4 and being stuck at Apache 2.0.52 is a huge problem because of the new requirements for the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI compliance scans. which means no ecommerce on any of these servers - MAJOR ISSUE. So my question to the community is: when are new Apache RPM's going to be released or at minimum a backported version that plugs these security holes so we can pass PCI scans. Apache 2.0.52 has some major issues that need to be dealt with?
I am almost positive that this issue is one of the scan software using version numbers and not understanding that RHEL backports fixes.
It is probably just looking at version numbers and not vulnerabilities.
I can not imagine a REAL scanner that will not pass RHEL-4 in it's scans.
There are not any unpatched holes on the latest httpd in centos as all security issues are backported.
I know that there are millions of ISPs using CentOS-4 for e-commerce everyday.
Help us out here. I know I am not the only one in this situation. every hosting company that uses Ensim Pro X is just where I am. Any insight or better yet a solution to this would be great.
I would suggest that you ask the scanning agency to specify why they do not understand the RHEL backports ... unless there are REALLY unpatched issues.
I do want to point out that you need to be running the latest httpd and php and mysql (or other things) from CentOS-4.6 and not CentOS-4.4 ... and I do not run any Ensim software, so I am not sure what it does to the system files ... here are the latest versions that are released:
httpd 2.0.52-38.ent.centos4 mysql 4.1.20-3.RHEL4.1.el4_6 php 4.3.9-3.22.9
If you have versions that are older than that, there are probably security issues. If you have those, then I think the scanner is incorrect ... please verify that you have that (or better) on your centos-4 install.