[CentOS] Apache RPM's

Wed Feb 13 05:56:29 UTC 2008
Johnny Hughes <johnny at centos.org>

Johnny Hughes wrote:
> Bob Boilard wrote:
>> Hello all,
>>  
>> I love CentOS, but I am seriously regretting selecting Centos 4.4 for my
>> production hosting servers. The current situation with CentOS 4.4 and 
>> being
>> stuck at Apache 2.0.52 is a huge problem because of the new 
>> requirements for
>> the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI
>> compliance scans. which means no ecommerce on any of these servers - 
>> MAJOR
>> ISSUE. So my question to the community is: when are new Apache RPM's 
>> going
>> to be released or at minimum a backported version that plugs these 
>> security
>> holes so we can pass PCI scans. Apache 2.0.52 has some major issues that
>> need to be dealt with?
>>
> 
> I am almost positive that this issue is one of the scan software using 
> version numbers and not understanding that RHEL backports fixes.
> 
> It is probably just looking at version numbers and not vulnerabilities.
> 
> I can not imagine a REAL scanner that will not pass RHEL-4 in it's scans.
> 
> There are not any unpatched holes on the latest httpd in centos as all 
> security issues are backported.
> 
> I know that there are millions of ISPs using CentOS-4 for e-commerce 
> everyday.
> 
>> Help us out here. I know I am not the only one in this situation. every
>> hosting company that uses Ensim Pro X is just where I am.
>> Any insight or better yet a solution to this would be great.
> 
> I would suggest that you ask the scanning agency to specify why they do 
> not understand the RHEL backports ... unless there are REALLY unpatched 
> issues.

I do want to point out that you need to be running the latest httpd and 
php and mysql (or other things) from CentOS-4.6 and not CentOS-4.4 ... 
and I do not run any Ensim software, so I am not sure what it does to 
the system files ... here are the latest versions that are released:

httpd                  2.0.52-38.ent.centos4
mysql                  4.1.20-3.RHEL4.1.el4_6
php                    4.3.9-3.22.9

If you have versions that are older than that, there are probably 
security issues.  If you have those, then I think the scanner is 
incorrect ... please verify that you have that (or better) on your 
centos-4 install.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080212/f6fde365/attachment-0004.sig>