Re: [CentOS] Security implications of openssl098e on CentOS 7

On Wed, 2015-10-21 at 21:20 +0200, Yamaban wrote: > TL;DR: TL;DQ? -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Security implications of openssl098e on CentOS 7

On 10/21/2015 1:55 PM, Andrew Holway wrote: Personally I would go round to that particular vendors office with a pipe wrench and encourage them to do better however, unless this software is transmitting credit card information then it seems that you could be safe(ish) from the regulation

[CentOS] Security implications of openssl098e on CentOS 7

Greetings, I'm working with a new CentOS 7 installation, moving a system up from CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance requirements. However, while setting up the CentOS 7 environment one of the closed source applications is requiring 0.9.8. The software vendor

Re: [CentOS] Security implications of openssl098e on CentOS 7

Personally I would go round to that particular vendors office with a pipe wrench and encourage them to do better however, unless this software is transmitting credit card information then it seems that you could be safe(ish) from the regulation standpoint. It really depends on the location of the

Re: [CentOS] Security implications of openssl098e on CentOS 7

I would guess the only way to ascertain that is with some rigorous testing. Personally I find an alternative backup method. On 21 October 2015 at 13:58, Nick Bright wrote: > On 10/21/2015 1:55 PM, Andrew Holway wrote: > >> Personally I would go round to that particular

Re: [CentOS] Security implications of openssl098e on CentOS 7

On 10/21/2015 2:34 PM, Eero Volotinen wrote: Remember that rhel/centos backports fixes, so just looking version number is not reliable way to detect security issues. Eero Indeed, though I can say on CentOS 5 the required configuration to be PCI compliand is not valid in apache, and httpd will

Re: [CentOS] Security implications of openssl098e on CentOS 7

Ok, I just forget that latest PCI DSS standard requires TLSv1.2 that is not supported under CentOS/RHEL 5. So, you are using https to transfer credit card data? -- Eero 2015-10-21 22:37 GMT+03:00 Nick Bright : > On 10/21/2015 2:34 PM, Eero Volotinen wrote: > >> Remember

Re: [CentOS] Security implications of openssl098e on CentOS 7

On 10/21/2015 11:58 AM, Nick Bright wrote: My concern is that, with the compatibility package installed, could this present vulnerabilities or compliance problems in Apache? No. openssl098e libraries have a distinct path. Apache's mod_ssl will not load them.

Re: [CentOS] Security implications of openssl098e on CentOS 7

Remember that rhel/centos backports fixes, so just looking version number is not reliable way to detect security issues. Eero 2015-10-21 21:18 GMT+03:00 Nick Bright : > Greetings, > > I'm working with a new CentOS 7 installation, moving a system up from > CentOS 5 due to

Re: [CentOS] Security implications of openssl098e on CentOS 7

Nick Bright wrote: > On 10/21/2015 1:55 PM, Andrew Holway wrote: >> Personally I would go round to that particular vendors office with a >> pipe wrench and encourage them to do better however, unless this >> It seems the PCI-DSS describe a set of simple rules to get IT managers >> thinking but

Re: [CentOS] Security implications of openssl098e on CentOS 7

On 10/22/2015 07:18 AM, Nick Bright wrote: > Greetings, > > I'm working with a new CentOS 7 installation, moving a system up from > CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance > requirements. > > However, while setting up the CentOS 7 environment one of the closed > source

Re: [CentOS] Security implications of openssl098e on CentOS 7

On 10/21/2015 12:20 PM, Yamaban wrote: TL;DR: Preload openssl from non-standard location for closed-source app only. Hmm, how about taking the content of the openssl098e package, put it into a directory relative to the closed source software (e.g. /opt), Totally unnecessary. The