[CentOS] Apache RPM's

Tony Placilla aplacil1 at jhuadig.admin.jhu.edu
Wed Feb 13 16:41:15 UTC 2008 




Tony Placilla <aplacilla at jhu.edu>
Sr. UNIX Systems Administrator
The Sheridan Libraries
Johns Hopkins University

















>>> On Wed, Feb 13, 2008 at 10:01 AM, in message
<E2BB8074E5500C42984D980D4BD78EF901FAFEF4 at MFG-NYC-EXCH2.mfg.prv>, "Ross S. W.
Walker" <rwalker at medallion.com> wrote: 
> Johnny Hughes wrote:
>> 
>> Bob Boilard wrote:
>> > Hello all,
>> >  
>> > I love CentOS, but I am seriously regretting selecting 
>> Centos 4.4 for my
>> > production hosting servers. The current situation with 
>> CentOS 4.4 and being
>> > stuck at Apache 2.0.52 is a huge problem because of the new 
>> requirements for
>> > the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI
>> > compliance scans. which means no ecommerce on any of these 
>> servers - MAJOR
>> > ISSUE. So my question to the community is: when are new 
>> Apache RPM's going
>> > to be released or at minimum a backported version that 
>> plugs these security
>> > holes so we can pass PCI scans. Apache 2.0.52 has some 
>> major issues that
>> > need to be dealt with?
>> >
>> 
>> I am almost positive that this issue is one of the scan 
>> software using 
>> version numbers and not understanding that RHEL backports fixes.
> 
> It is a big fear of mine that this may become more and more
> of an issue when government agencies start setting stricter
> and stricter software compliance guidelines.
> 
> The agencies don't know what security backports vendor XYZ
> has implemented and frankly they don't care. All they have
> is a list of minimum version numbers that software must be
> at in order for it to be deemed "compliant".
> 
> I think we will start seeing this in the PCI and HIPA
> compliance regulations first, but I wouldn't be surprised
> if it leaks out into GLBA and other regulations over time.
> 
> I think it will be these compliance issues that may force
> upstream to change their strategy otherwise I can see this
> being a roadblock to RHEL/CentOS adoption in these
> industries in the future.
> 
> -Ross
> 

In a previous life I did PCI compliance for the company I worked for & I ran into this quite often. The scanners would only report on versions & we'd get "out of compliance" which caused no end of hand-wringing from the higher-ups.

However, the certifying parties we used had an appeals process & I could almost always boilerplate the output of 
rpm -q --changelog httpd |grep -i cve

and send them proof of the backported fixes. They would then remove the "compliance failure"

Obviously IANAL & things could change with PCI certification vendors & such, but this might be worth investigating

More information about the CentOS mailing list