On 11/27/2009 01:34 PM, Bob McConnell wrote:

We are trying to figure out how to handle this issue short of having to compile PHP ourselves. That would violate the agreement we have with the hosting service.

The whole PCI DSS issue is fairly important to many people at the moment, and wht does not help is the general brain-dead'ness shown by many of the so-called-experts doing the scans / checks.

Having said that, I *do* realise its a big deal and (a) we as a group of people should be able to address is, since its something that impacts so many and (b) most likely have the resources to do whatever is needed for (a). So if you want to extend your 'we' to be 'we, the centos community' - you have my attention and I know almost everyone else around here as well.

How about putting some ideas together on what needs to be done as a whole, on the wiki - even if one idea might be to better educate the people running these scans. Maybe even go one step further: setup the wiki page, bring some people together who have $clue >0 and have a bit of time, a few hours per week is plenty. And lets start thrashing out the possible solution paths for the hundreds of people in the 'problem area'.

I'd be happy to work with such a group of people. And I've read the PCI spec requirements.

Disclaimer: I dont have any use for or the requirement to meet any pci standards, but I am slightly concerned that too many people are trying too hard to work on this in silo's where its clear that having a central resource pool would be both a clear win and a massive saving on individual resources.

On Fri, 2009-11-27 at 08:34 -0500, Bob McConnell wrote:

Michael Kress wrote:

...

Craig White wrote:

...

and if enough people actually convinced the developers that 5.2.9-2.el5.centos were feasible, then they would probably move it into the 'Extras' repository.

... here's one trying to 'convince'! ;-) I'm using that package from c5-testing since a month or so and I encountered no problems. Regards Michael

I'll go one further. We run commercial web sites on CentOS 5.3 which must also be PCI compliant. Because of the security issues, the auditors have been complaining for two months that we don't have PHP 5.2.11 installed yet, putting our PCI certification in jeopardy. When 5.2.12 is released, probably next month, we will have 30 days to get it installed.

We are trying to figure out how to handle this issue short of having to compile PHP ourselves. That would violate the agreement we have with the hosting service.

Bob - there are many of us that are in that situation, but it's actually quite an easy requirement to satisfy.

Let's start with Upstream...

Because Upstream certifies/qualifies their fixes against known vulnerabilities, you shouldn't get dinged on version number checking as long as you're using up to date backported fix packages from Upstream.

Now... As long as CentOS has the same backported fixes to respond to the same CVE vulnerabilities, you should be okay. Just tell your auditors to research "backports".

Check out the first 2 paragraphs of: http://twiki.cpanel.net/twiki/bin/view/AllDocumentation/PCIComplianceInfo/Sc...

Also, search the mailing list archives... you'll find more information. For proof of CVE fixes, do a:

rpm -q --changelog php |grep -i cve

As long as you've resolved outstanding known vulnerabilities, you should be able to get exceptions/exemption granted for version numbers.

Of course, IANAL, and this does not constitute legal advise, but it's a path that you can pursue for a speedier resolution of this issue rather than go through the pain of finding php 5.2.10 rpms and qualifying them yourself.

Remember - If it weren't for fixes from Upstream/CentOS, neither Upstream nor CentOS would be able to be tested for compliancy without MAJOR source-code hoops, which would defeat the purpose of using these OSes in eCommerce in the first place! ;)

-I