[CentOS] Apache RPM's

Wed Feb 13 15:18:44 UTC 2008
Johnny Hughes <johnny at centos.org>

Ross S. W. Walker wrote:
> Johnny Hughes wrote:
>> Bob Boilard wrote:
>>> Hello all,
>>>  
>>> I love CentOS, but I am seriously regretting selecting 
>> Centos 4.4 for my
>>> production hosting servers. The current situation with 
>> CentOS 4.4 and being
>>> stuck at Apache 2.0.52 is a huge problem because of the new 
>> requirements for
>>> the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI
>>> compliance scans. which means no ecommerce on any of these 
>> servers - MAJOR
>>> ISSUE. So my question to the community is: when are new 
>> Apache RPM's going
>>> to be released or at minimum a backported version that 
>> plugs these security
>>> holes so we can pass PCI scans. Apache 2.0.52 has some 
>> major issues that
>>> need to be dealt with?
>>>
>> I am almost positive that this issue is one of the scan 
>> software using 
>> version numbers and not understanding that RHEL backports fixes.
> 
> It is a big fear of mine that this may become more and more
> of an issue when government agencies start setting stricter
> and stricter software compliance guidelines.
> 
> The agencies don't know what security backports vendor XYZ
> has implemented and frankly they don't care. All they have
> is a list of minimum version numbers that software must be
> at in order for it to be deemed "compliant".
> 
> I think we will start seeing this in the PCI and HIPA
> compliance regulations first, but I wouldn't be surprised
> if it leaks out into GLBA and other regulations over time.
> 
> I think it will be these compliance issues that may force
> upstream to change their strategy otherwise I can see this
> being a roadblock to RHEL/CentOS adoption in these
> industries in the future.
> 
> -Ross

OR force the scanner people to support backports.

There are already Nessus templates that support CentOS/RHEL scanning for 
PCI compliance.

Being that RHEL is 85% (ish) of the paid enterprise server market and 
EAL certified and running on many government sites already, I would 
imagine that the scanners will be the things to change.

I could be wrong ... that HAS happened before :-) ... but that is my take.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080213/dff4ee25/attachment-0005.sig>