Tony Placilla <aplacilla at jhu.edu> Sr. UNIX Systems Administrator The Sheridan Libraries Johns Hopkins University >>> On Wed, Feb 13, 2008 at 10:01 AM, in message <E2BB8074E5500C42984D980D4BD78EF901FAFEF4 at MFG-NYC-EXCH2.mfg.prv>, "Ross S. W. Walker" <rwalker at medallion.com> wrote: > Johnny Hughes wrote: >> >> Bob Boilard wrote: >> > Hello all, >> > >> > I love CentOS, but I am seriously regretting selecting >> Centos 4.4 for my >> > production hosting servers. The current situation with >> CentOS 4.4 and being >> > stuck at Apache 2.0.52 is a huge problem because of the new >> requirements for >> > the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI >> > compliance scans. which means no ecommerce on any of these >> servers - MAJOR >> > ISSUE. So my question to the community is: when are new >> Apache RPM's going >> > to be released or at minimum a backported version that >> plugs these security >> > holes so we can pass PCI scans. Apache 2.0.52 has some >> major issues that >> > need to be dealt with? >> > >> >> I am almost positive that this issue is one of the scan >> software using >> version numbers and not understanding that RHEL backports fixes. > > It is a big fear of mine that this may become more and more > of an issue when government agencies start setting stricter > and stricter software compliance guidelines. > > The agencies don't know what security backports vendor XYZ > has implemented and frankly they don't care. All they have > is a list of minimum version numbers that software must be > at in order for it to be deemed "compliant". > > I think we will start seeing this in the PCI and HIPA > compliance regulations first, but I wouldn't be surprised > if it leaks out into GLBA and other regulations over time. > > I think it will be these compliance issues that may force > upstream to change their strategy otherwise I can see this > being a roadblock to RHEL/CentOS adoption in these > industries in the future. > > -Ross > In a previous life I did PCI compliance for the company I worked for & I ran into this quite often. The scanners would only report on versions & we'd get "out of compliance" which caused no end of hand-wringing from the higher-ups. However, the certifying parties we used had an appeals process & I could almost always boilerplate the output of rpm -q --changelog httpd |grep -i cve and send them proof of the backported fixes. They would then remove the "compliance failure" Obviously IANAL & things could change with PCI certification vendors & such, but this might be worth investigating