Hello all, I love CentOS, but I am seriously regretting selecting Centos 4.4 for my production hosting servers. The current situation with CentOS 4.4 and being stuck at Apache 2.0.52 is a huge problem because of the new requirements for the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI compliance scans. which means no ecommerce on any of these servers - MAJOR ISSUE. So my question to the community is: when are new Apache RPM's going to be released or at minimum a backported version that plugs these security holes so we can pass PCI scans. Apache 2.0.52 has some major issues that need to be dealt with? Help us out here. I know I am not the only one in this situation. every hosting company that uses Ensim Pro X is just where I am. Any insight or better yet a solution to this would be great. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080213/91b50554/attachment.html>
> I love CentOS, but I am seriously regretting selecting Centos 4.4 for my > production hosting servers. The current situation with CentOS 4.4 and being > stuck at Apache 2.0.52 is a huge problem because of the new requirements for > the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI > compliance scans. which means no ecommerce on any of these servers - MAJOR > ISSUE. So my question to the community is: when are new Apache RPM's going > to be released or at minimum a backported version that plugs these security > holes so we can pass PCI scans. Apache 2.0.52 has some major issues that > need to be dealt with? > > Help us out here. I know I am not the only one in this situation. every > hosting company that uses Ensim Pro X is just where I am. > Any insight or better yet a solution to this would be great.Are you actually using CentOS 4.4 or are you using a fully updated version of CentOS 4.6? If you are fully updated, or simply download the latest CentOS 4 httpd package and run "rpm -q --changelog httpd | less" for an installed package or "rpm -qp --changelog /path/to/httpd/package | less" for a downloaded, but not yet installed package, you can see all of the changes, complete with which CVE issues have been addressed in each package build. Barry
Bob Boilard wrote:> Hello all, > > I love CentOS, but I am seriously regretting selecting Centos 4.4 for my > production hosting servers. The current situation with CentOS 4.4 and being > stuck at Apache 2.0.52 is a huge problem because of the new requirements for > the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI > compliance scans. which means no ecommerce on any of these servers - MAJOR > ISSUE. So my question to the community is: when are new Apache RPM's going > to be released or at minimum a backported version that plugs these security > holes so we can pass PCI scans. Apache 2.0.52 has some major issues that > need to be dealt with? >I am almost positive that this issue is one of the scan software using version numbers and not understanding that RHEL backports fixes. It is probably just looking at version numbers and not vulnerabilities. I can not imagine a REAL scanner that will not pass RHEL-4 in it's scans. There are not any unpatched holes on the latest httpd in centos as all security issues are backported. I know that there are millions of ISPs using CentOS-4 for e-commerce everyday.> Help us out here. I know I am not the only one in this situation. every > hosting company that uses Ensim Pro X is just where I am. > Any insight or better yet a solution to this would be great.I would suggest that you ask the scanning agency to specify why they do not understand the RHEL backports ... unless there are REALLY unpatched issues. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20080212/ad1e63db/attachment.sig>
Bob Boilard wrote:> Hello all, > > I love CentOS, but I am seriously regretting selecting Centos 4.4 for my > production hosting servers. The current situation with CentOS 4.4 and being > stuck at Apache 2.0.52 is a huge problem because of the new requirements for > the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI > compliance scans. which means no ecommerce on any of these servers - MAJOR > ISSUE. So my question to the community is: when are new Apache RPM's going > to be released or at minimum a backported version that plugs these security > holes so we can pass PCI scans. Apache 2.0.52 has some major issues that > need to be dealt with? >Care to be specific what security holes are not patched on the latest httpd for CentOS 4.x ? As others have mentioned it sounds like a brain dead security scanner making stupid assumptions based on a version number.>From the looks of my CentOS 4.5 systems it appears the default CentOShttpd config turns on ServerSignature. I'd be curious what the security scanner said if you turn that option off in httpd (assuming you haven't turned it off already). http://httpd.apache.org/docs/2.0/mod/core.html#serversignature A few years ago my company at the time ran into something similar, the app returned a HTTP/200 even for things that were essentially 404, so the automated security scanning service said we were vulnerable to just about every exploit under the sun, even though we were not, it was amusing at least. I don't know why the app returned HTTP/200 (it was a fairly complex tomcat/weblogic application), maybe just bad design, but the security scanner was just as bad looking for a HTTP/200 to determine if the security hole was present. nate
Johnny Hughes wrote:> > Bob Boilard wrote: > > Hello all, > > > > I love CentOS, but I am seriously regretting selecting > Centos 4.4 for my > > production hosting servers. The current situation with > CentOS 4.4 and being > > stuck at Apache 2.0.52 is a huge problem because of the new > requirements for > > the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI > > compliance scans. which means no ecommerce on any of these > servers - MAJOR > > ISSUE. So my question to the community is: when are new > Apache RPM's going > > to be released or at minimum a backported version that > plugs these security > > holes so we can pass PCI scans. Apache 2.0.52 has some > major issues that > > need to be dealt with? > > > > I am almost positive that this issue is one of the scan > software using > version numbers and not understanding that RHEL backports fixes.It is a big fear of mine that this may become more and more of an issue when government agencies start setting stricter and stricter software compliance guidelines. The agencies don't know what security backports vendor XYZ has implemented and frankly they don't care. All they have is a list of minimum version numbers that software must be at in order for it to be deemed "compliant". I think we will start seeing this in the PCI and HIPA compliance regulations first, but I wouldn't be surprised if it leaks out into GLBA and other regulations over time. I think it will be these compliance issues that may force upstream to change their strategy otherwise I can see this being a roadblock to RHEL/CentOS adoption in these industries in the future. -Ross ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
"Ross S. W. Walker" <rwalker at medallion.com> wrote:>>I agree whole heartily. It would go a long way though if Redhat provided independent certification of their products under these compliance banners. << RHEL 5 is Common Criteria certified against the Controlled Access Protection Profile (CAPP), Labelled Security Protection Profile (LSPP) and Role-Based Access Control Protection Profile (RBACPP) at EAL (Evaluation Assurance Level) 4+ (i.e. all requirements of EAL4 and some of EAL5), when running on certain hardware platforms (IBM). See http://www.commoncriteriaportal.org/public/consumer/index.php?menu=5 for the reports. That may be overkill for what you require, but if your system is certified and accredited, it usually stops auditors in their tracks. I agree with concerns about the inability of auditors to correctly interpret requirements. The Y2K panic provided lots of examples; I recall one junior auditor demanding that a network hub be replaced because it was not "certified Y2K compliant". Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909