Re: Apache RPM's

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Ross S. W. Walker wrote:

Johnny Hughes wrote:

Bob Boilard wrote:

Hello all,
I love CentOS, but I am seriously regretting selecting 
Centos 4.4 for my
production hosting servers. The current situation with 
CentOS 4.4 and being
stuck at Apache 2.0.52 is a huge problem because of the new 
requirements for

the Credit Card industry PCI scan. Apache 2.0.52 does not pass PCI
compliance scans. which means no ecommerce on any of these 
servers - MAJOR
ISSUE. So my question to the community is: when are new 
Apache RPM's going
to be released or at minimum a backported version that 
plugs these security
holes so we can pass PCI scans. Apache 2.0.52 has some 
major issues that

need to be dealt with?
I am almost positive that this issue is one of the scan software using version numbers and not understanding that RHEL backports fixes. 

It is a big fear of mine that this may become more and more
of an issue when government agencies start setting stricter
and stricter software compliance guidelines.

The agencies don't know what security backports vendor XYZ
has implemented and frankly they don't care. All they have
is a list of minimum version numbers that software must be
at in order for it to be deemed "compliant".

I think we will start seeing this in the PCI and HIPA
compliance regulations first, but I wouldn't be surprised
if it leaks out into GLBA and other regulations over time.

I think it will be these compliance issues that may force
upstream to change their strategy otherwise I can see this
being a roadblock to RHEL/CentOS adoption in these
industries in the future.

-Ross


OR force the scanner people to support backports.
There are already Nessus templates that support CentOS/RHEL scanning for PCI compliance.
Being that RHEL is 85% (ish) of the paid enterprise server market and EAL certified and running on many government sites already, I would imagine that the scanners will be the things to change. 

I could be wrong ... that HAS happened before :-) ... but that is my take.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux