on 2/13/2008 7:44 AM nate spake the following: > Ross S. W. Walker wrote: > >> The agencies don't know what security backports vendor XYZ >> has implemented and frankly they don't care. All they have >> is a list of minimum version numbers that software must be >> at in order for it to be deemed "compliant". > > So check the actual version number of the package. Using a remote > network software scanner to detect security problems based on > banner strings provided by the network software is nothing > more than a false sense of security. > >> I think we will start seeing this in the PCI and HIPA >> compliance regulations first, but I wouldn't be surprised >> if it leaks out into GLBA and other regulations over time. > > The scanning vendors will be forced to fix their products. It's > perfectly acceptable, and preferred behavior to backport patches. > Just look at the recent Samba thread here for a good reason > why backporting is good. I'd be mightily pissed if RHEL or > CentOS switched a version out from under me which caused breakage. > I honestly cannot believe that RHEL did that for Samba. If > anything introduce a new ALTERNATE package that has the > incompatible changes in it and allow users to choose between > that one and the original for their systems. That's just me though. > Fortunately I don't really use Samba. Wasn't the samba issue something that was fairly critical, but just couldn't be backported? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20080213/fa7ed81d/attachment-0005.sig>