[CentOS] PHP updates

Fri Nov 27 20:38:50 UTC 2009
Ian Forde <ianforde at gmail.com>

On Fri, 2009-11-27 at 08:34 -0500, Bob McConnell wrote:
> Michael Kress wrote:
> > Craig White wrote:
> >> and if enough people actually convinced the developers that
> >> 5.2.9-2.el5.centos were feasible, then they would probably move it into
> >> the 'Extras' repository.
> > 
> > ... here's one trying to 'convince'! ;-)
> > I'm using that package from c5-testing since a month or so and I
> > encountered no problems.
> > Regards
> > Michael
> 
> I'll go one further. We run commercial web sites on CentOS 5.3 which 
> must also be PCI compliant. Because of the security issues, the auditors 
> have been complaining for two months that we don't have PHP 5.2.11 
> installed yet, putting our PCI certification in jeopardy. When 5.2.12 is 
> released, probably next month, we will have 30 days to get it installed.
> 
> We are trying to figure out how to handle this issue short of having to 
> compile PHP ourselves. That would violate the agreement we have with the 
> hosting service.

Bob - there are many of us that are in that situation, but it's actually
quite an easy requirement to satisfy.

Let's start with Upstream...

Because Upstream certifies/qualifies their fixes against known
vulnerabilities, you shouldn't get dinged on version number checking as
long as you're using up to date backported fix packages from Upstream.

Now... As long as CentOS has the same backported fixes to respond to the
same CVE vulnerabilities, you should be okay.  Just tell your auditors
to research "backports".

Check out the first 2 paragraphs of:
http://twiki.cpanel.net/twiki/bin/view/AllDocumentation/PCIComplianceInfo/ScanningSoftware

Also, search the mailing list archives... you'll find more information.
For proof of CVE fixes, do a:

rpm -q --changelog php |grep -i cve

As long as you've resolved outstanding known vulnerabilities, you should
be able to get exceptions/exemption granted for version numbers.

Of course, IANAL, and this does not constitute legal advise, but it's a
path that you can pursue for a speedier resolution of this issue rather
than go through the pain of finding php 5.2.10 rpms and qualifying them
yourself.

Remember - If it weren't for fixes from Upstream/CentOS, neither
Upstream nor CentOS would be able to be tested for compliancy without
MAJOR source-code hoops, which would defeat the purpose of using these
OSes in eCommerce in the first place! ;)

	-I