On 4/22/10 7:59 PM, Philip M. Gollucci wrote:
On 4/21/2010 1:55 AM, Eirik Øverby wrote:
It is a misconseption to think that one _has to_ run the latest version (as
suggested by dumb network scans) in order to remain compliant (PCI DSS or
otherwise). What is needed is that the issues found are either patched or
documented to be not applicable.
I completely agree; however, having just achieved PCI certification for
$work in *this* month -- 2 different (unamed pci auditing firms) refused
to accept openssl had been patched without version number changes.
Kind of odd considering they said my httpd 2.2.14 was vunlerable to the
windows mod_issapi cve on fbsd but accepted on face value that we can't
possibly be since its not windows and not loaded. Yet the version #
didn't change here.
Additionally odd, they did accept that 2.2.14 disabled ssl functionality
to prevent the issue though not fix it. Yet again the version # didn't
change.
Interestingly we have some other equipment that requires the client
renegotiation but b/c we are leasing it rather then own it, its out of
scope.
IMHO, its simply easier to always mod the version string in some way
rather then trying to argue with them.
append -p2 to teh end of the version number before submitting it to
them :-)
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
