On Mon, Jun 11, 2012 at 6:01 PM, Tony Miller <[email protected]> wrote:
> I'm having a PCI compliance issue regarding apache 2.2.22 and mod_ssl > 2.8.31. My security vendor says there is an issue with mod_ssl 2.2.22, > which is the current installed version. > Does your security vendor understand the difference between the mod_ssl that is included with Apache 2.x and the external one that was used with Apache 1.3? The latter is at 2.8.31 but is *only* for obsolete Apache 1.x. The mod_ssl that comes with Apache 2 always has the same version as the Apache it comes with. Since 2.2.22 is the latest in the Apache 2.2 series, your vendor is claiming that Apache 2.2.22 has an unpatched vulnerability. (The absolute latest one in the 2.x series is 2.4.2, which of course ships with a mod_ssl that is also 2.4.2.) Based on the evidence so far, I suggest your security vendor is confused. -- brandon s allbery [email protected] wandering unix systems administrator (available) (412) 475-9364 vm/sms
_______________________________________________ macports-users mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
