Tony Placilla aplacilla@jhu.edu Sr. UNIX Systems Administrator The Sheridan Libraries Johns Hopkins University
On Wed, Feb 13, 2008 at 10:01 AM, in message
E2BB8074E5500C42984D980D4BD78EF901FAFEF4@MFG-NYC-EXCH2.mfg.prv, "Ross S. W. Walker" rwalker@medallion.com wrote:
Johnny Hughes wrote:
Bob Boilard wrote:
Hello all,
I love CentOS, but I am seriously regretting selecting
Centos 4.4 for my
production hosting servers. The current situation with
CentOS 4.4 and being
stuck at Apache 2.0.52 is a huge problem because of the new
requirements for
the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI compliance scans. which means no ecommerce on any of these
servers - MAJOR
ISSUE. So my question to the community is: when are new
Apache RPM's going
to be released or at minimum a backported version that
plugs these security
holes so we can pass PCI scans. Apache 2.0.52 has some
major issues that
need to be dealt with?
I am almost positive that this issue is one of the scan software using version numbers and not understanding that RHEL backports fixes.
It is a big fear of mine that this may become more and more of an issue when government agencies start setting stricter and stricter software compliance guidelines.
The agencies don't know what security backports vendor XYZ has implemented and frankly they don't care. All they have is a list of minimum version numbers that software must be at in order for it to be deemed "compliant".
I think we will start seeing this in the PCI and HIPA compliance regulations first, but I wouldn't be surprised if it leaks out into GLBA and other regulations over time.
I think it will be these compliance issues that may force upstream to change their strategy otherwise I can see this being a roadblock to RHEL/CentOS adoption in these industries in the future.
-Ross
In a previous life I did PCI compliance for the company I worked for & I ran into this quite often. The scanners would only report on versions & we'd get "out of compliance" which caused no end of hand-wringing from the higher-ups.
However, the certifying parties we used had an appeals process & I could almost always boilerplate the output of rpm -q --changelog httpd |grep -i cve
and send them proof of the backported fixes. They would then remove the "compliance failure"
Obviously IANAL & things could change with PCI certification vendors & such, but this might be worth investigating