my work's been coping with the same sort of problem courtesy of redhat for a while now - though, different CVEs specifically.
no real creative answer on our side of things, other than to patch to the fixed version either by building our own packages, or using something like iuscommunity.org's to save some time. has anyone had luck arguing the case with vendors (for those that pay for commercial support) and have a positive/patched result? On Mon, Dec 21, 2009 at 5:09 AM, Monkey Daemon < [email protected]> wrote: > Hi All, > > I've been speaking to a family member over the weekend who works in a > similar line of work to myself and we got to talking about PCI > Compliance. > > He's just had a quarterly scan performed and he failed it owing to the > issues with Session Negotiation when using SSL/TLS. The problem he > has is that he's running Linux and not only has his distro not > released packages for OpenSSL 0.9.8l but the distro vendor is refusing > to issue a patch stating that as its an issue with the underlying > protocol there is no point. > > Does anyone have a fix to this other than "compile your own SSL with > negotiation switched off and hope nothing breaks"? > > I'm now concerned that when our scan comes around early next year we > will also fail. > > Cheers, > > MWD. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
