[CentOS] Re: Apache RPM's
Scott Silva
ssilva at sgvwater.com
Wed Feb 13 16:50:21 UTC 2008
on 2/13/2008 7:44 AM nate spake the following:
> Ross S. W. Walker wrote:
>
>> The agencies don't know what security backports vendor XYZ
>> has implemented and frankly they don't care. All they have
>> is a list of minimum version numbers that software must be
>> at in order for it to be deemed "compliant".
>
> So check the actual version number of the package. Using a remote
> network software scanner to detect security problems based on
> banner strings provided by the network software is nothing
> more than a false sense of security.
>
>> I think we will start seeing this in the PCI and HIPA
>> compliance regulations first, but I wouldn't be surprised
>> if it leaks out into GLBA and other regulations over time.
>
> The scanning vendors will be forced to fix their products. It's
> perfectly acceptable, and preferred behavior to backport patches.
> Just look at the recent Samba thread here for a good reason
> why backporting is good. I'd be mightily pissed if RHEL or
> CentOS switched a version out from under me which caused breakage.
> I honestly cannot believe that RHEL did that for Samba. If
> anything introduce a new ALTERNATE package that has the
> incompatible changes in it and allow users to choose between
> that one and the original for their systems. That's just me though.
> Fortunately I don't really use Samba.
Wasn't the samba issue something that was fairly critical, but just couldn't
be backported?
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080213/fa7ed81d/attachment.sig>
More information about the CentOS
mailing list