PCI compliance requires at least Apache 2.2.8

32 posts / 0 new
Last post
#1 Mon, 05/05/2008 - 21:09
tfunk

PCI compliance requires at least Apache 2.2.8

To be compliant with PCI standards (Payment Card Industry), a merchant is supposed to have at least Apache 2.2.8, and at least PHP 5.2.5.

I think this is the lamest thing ever.

Anyway, I might as well figure out how to upgrade the two packages. I currently have Apache 2.2.3 and PHP 5.1.6.

Am I limited to upgrades given via the auto upgrade feature of Virtualmin, or can I perform upgrades on my own? I'm very savvy about how to go about it, perhaps if there was a URL someone could point me to I'd be set.

Lastly, are there any gotchas I need to be aware of?

Thanks! T

Tue, 05/06/2008 - 12:56
tfunk

Someone has to know how to update httpd and PHP?

Cheers,
T

Tue, 05/06/2008 - 13:27 (Reply to #2)
Joe
Joe's picture

So, the PCI standards do not take into account fully patched versions of these packages from the OS vendors? So...RHEL 5 is not PCI compliant, despite being one of the most secure systems available (likewise Debian 4)? I think this shows a pretty striking lack of awareness on the part of the folks drafting the guidelines.

--

Check out the forum guidelines!

Tue, 05/06/2008 - 13:29 (Reply to #3)
Joe
Joe's picture

BTW-We have a solution coming soon for the PHP update issue for our most popular platforms--we will provide PHP 5.2.6 for CentOS 5, at least. We will never bump rev on Apache beyond what is provided by the vendor...so you'll need to build your own (which will probably end up less secure in the end since managing upgrades is so much harder on a built-from-source installation).

BTW2-Note I said PHP 5.2.6. 5.2.5 has security vulnerabilities, unless patched. ;-)

--

Check out the forum guidelines!

Sat, 06/21/2008 - 17:40 (Reply to #4)
joeles

Joe, do you guys have an eta on PHP 5.2.6? If you guys are going to release it soon, I would much rather wait for it than to install my own.

Tue, 05/06/2008 - 14:52 (Reply to #5)
tfunk

The other reason I'm not PCI compliant is because I have "excessive" open ports, which means 10 or more. I mean seriously, who came up with 10? I should get an exception, though, for that because it's "by design". Whatever! ;)

T

Tue, 05/06/2008 - 15:00 (Reply to #6)
Joe
Joe's picture

<div class='quote'>The other reason I'm not PCI compliant is because I have &quot;excessive&quot; open ports, which means 10 or more. I mean seriously, who came up with 10?</div>

They count the number of open ports? Seriously? Wow. I think from now on, if I see some sort of PCI logo on a site I will be more suspicious of their security than if I don't. ;-)

--

Check out the forum guidelines!

Tue, 05/06/2008 - 15:13 (Reply to #7)
PlayGod

If you absolutely, positively must have these updates, you might look into using Jason Litka's excellent repository, which includes patched PHP 5.2.5, httpd 2.8 and MySQL 5.0.58

Not supported or recommended by the folks here, of course, but very useful if you must have a very up-to-date CentOS.

http://www.jasonlitka.com/yum-repository/changelog/

You'll need to do a bit of research to figure out how to enable and use his repos, and your following yum update will be scary as it'll replace a load of packages and modules. Caveat Emptor... but I've had very good luck with it and he does seem serious about changes and updates.

Time Will Tell... hopefully he continues his good work, it is much appreciated by those who use his repos and builds.

Tue, 05/06/2008 - 15:46 (Reply to #8)
Joe
Joe's picture

<div class='quote'>Not supported or recommended by the folks here</div>

It's not <i>not</i> recommended, either. ;-)

But, as you say, we can't possibly support packages that we don't provide or aren't from the standard OS sources. We have our hands full supporting our own packages plus the ones from CentOS, Debian, Ubuntu, Fedora, etc.

--

Check out the forum guidelines!

Tue, 05/06/2008 - 15:18 (Reply to #9)
PlayGod

Also some advice on patching 5.2.5's security issue here:
http://www.jasonlitka.com/2007/11/16/upgrading-to-php-525-on-rhel-and-ce...

Mon, 06/23/2008 - 17:33 (Reply to #10)
adrianrf

+1 for news about PHP 5.2.6 here.

would very much like to run an opcode cache, too: either XCache or eaccelerator. would be very grateful for an install recipe.

best,

Adrian
Adrian Russell-Falla

Tue, 07/15/2008 - 12:00 (Reply to #11)
Vedstesen

<b>Joe wrote:</b>
<div class='quote'>BTW2-Note I said PHP 5.2.6. 5.2.5 has security vulnerabilities, unless patched. ;-)</div>

I still have php 5.1, and ain't able to update to 5.2.6.

How long are you with the update Joe?
Does you have a timeline?

I still think this software are great, but php 5.2.6 will make it even better.

Peter, Denmark

Tue, 07/15/2008 - 12:16 (Reply to #12)
andreychek

Howdy,

What distribution are you using?

If you're using something like CentOS 5 or RHEL 5, which are currently offering PHP 5.1.6 -- they backport security fixes and such into that version of PHP. You should be in good shape, security-wise.

In dealing with any of the PCI Compliance testers, they're pretty understanding about the backporting, you should just be able to mark older versions they detect as a &quot;False Positive&quot; and simply mention what distro you're running, and that you're up to date with patches.

I'm sure there's some features in 5.2.6 that folks may want, and Joe will certainly get around to that. But in the meantime, as far as security is concerned running PHP 5.1.6 on RHEL/CentOS5 is up to date.
-Eric

Tue, 07/15/2008 - 12:37 (Reply to #13)
Joe
Joe's picture

<div class='quote'>I still think this software are great, but php 5.2.6 will make it even better.</div>

For systems that we currently provide php5 packages for (those that have php4, by default), 5.2.6 is already in the repos.

I'm currently working on an optional &quot;bleeding edge&quot; repository for folks running CentOS/RHEL 5 that really like to hurt themselves with the latest and greatest stuff--stuff that hasn't been all that well-tested by huge armies of users and QA staff. It'll include the latest PHP5, Apache, MySQL, and SpamAssassin. Possibly a few other bits and pieces. I'm never going to recommend it...but it'll be there for folks that want it.

That should be available in another week or two.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:26 (Reply to #14)
Vedstesen

Thats GREAT!

Thansk Joe. You are the best.
.\Peter

Tue, 10/20/2009 - 09:16 (Reply to #15)
tabletguy

For systems that we currently provide php5 packages for (those that have php4, by default), 5.2.6 is already in the repos.

Sorry to perhaps repeat this, but Joe seems to be saying that Virtualmin provides a "5.2.6" (or whatever is current) php version for Centos 5.3, etc.

In NEXT paragraph he also talks about "bleeding edge" stuff, with lots of more risky items, etc.

I have always interpreted these sentences to mean BOTH a 5.2.6 (somewhere) AND a bleeding edge version.

1) Are these (5.2.6 and bleeding edge) supposed to be different or the same thing?

2) How can I get a 5.2 (current) php on my Centos 5.3 system WITHOUT getting bloody? Is it possible? I don't want bleeding edge (but for Joomla, Moodle, etc. ...) I do want php 5.2.x

Tue, 10/20/2009 - 09:45 (Reply to #16)
andreychek

Well, note that Joe's post is from way back in July of 2008.

So, 5.2.6 was bleeding edge at that point :-)

Onto your questions:

Are these (5.2.6 and bleeding edge) supposed to be different or the same thing?

Yeah, the confusion here is the timeframe Joe said all that. At the time Joe said that, 5.2.6 was available in the bleeding edge repository. Today, 5.2.11 is, I believe.

How can I get a 5.2 (current) php on my Centos 5.3 system WITHOUT getting bloody? Is it possible? I don't want bleeding edge (but for Joomla, Moodle, etc. ...) I do want php 5.2.x

You have two options -- use what CentOS provides (5.1.x), or "get bloody" :-)

Anything not provided with CentOS is non-standard, and no where near as well tested as their distro provided PHP version.

But as you point out, recent web apps often don't even work on what they provide.

So your choices are limited :-)

My recommendation is probably to use the Virtualmin bleeding edge repo, which a lot of folks here are using and feel it works fine for them. And if you run into trouble, you can always come back here to try and figure out what's going on :-)

-Eric

Mon, 02/02/2009 - 09:42 (Reply to #17)
merlynx

I am running centos 5.2...

I like to run phpMyAdmin. We'll, not anymore, seeing as the version I have is not compatible with php 5.1.6.

I am confused. &quot;Bleeding edge virtualmin repo&quot; not recommended but a plan in place to provide php 5.2.x for those who have the virtualmin php package?

How do I get php 5.2.x installed on our centOs 5.2 boxes with out a third party repo (like Jason Litka's). It's a critical, fundamental part of a LAMP server sercurity IMHO to be able to keep your scripting CGI app updated. PHP 5.2.5's recent security debacle for example. In addition, several CMS and web-based apps are running php and use the provided/updated features (like drupal). Some of them are running updates for their software that plug security and/or stability issues and those apps depend on php 5.2.x or the latest flavor of it. Issues bifurcate quickly when such a fundamental part of the system's packages are halted in their development, if PHP is not up to date, then your php based apps that depend on php which your clients like to use are not up to date either.

So what is our recourse - do we move to a different OS platform that has the philosophical mindset of keeping packages up to date until the release of their new version? Or do I wait until there is a virtualmin friendly php 5.2.x upgrade path for our virtualmin installs? Seems weird that CentOS does not have a version &quot;6&quot; in the wings, or 5.3, that they know will support such a common setup (LAMP) and that they would drop support of the php branch...

Anyways. What next?

Mon, 02/02/2009 - 09:58 (Reply to #18)
andreychek

Well, to be clear -- the latest PHP 5.1.x on RHEL/CentOS has no known security issues.

RHEL and CentOS backport all their security fixes to it.

The goal of the RHEL/CentOS projects is stability, not to provide the latest and greatest versions of apps.

You're right though, some apps are requiring PHP 5.2.x now, and that becomes a problem when using RHEL and CentOS.

IMO, your real options are:

1. Use Joe's bleeding edge repo -- which he, of course, doesn't recommend, as it's bleeding edge and not well tested :-) However, I do believe he uses it.

2. Switch to a distro who is more concerned with offering newer packages. Ubuntu may be your best option there, though Debian isn't too far behind it (Ubuntu Hardy provides PHP 5.2.4, Debian Etch has PHP 5.2.0).

Personally, I like Ubuntu (an opinion that differs from the Virtualmin developers :-), and I find it works plenty well for me. If you're attached to RHEL or CentOS though, or otherwise prefer them, you might try Joe's bleeding edge repository (which has PHP 5.2.6) rather than switching distros.
-Eric

Tue, 05/06/2008 - 14:49
tfunk

Thanks Joe! I am a paying customer, anyway ;)

I guess I'll have to file an exception, as it's the most fully patched version of apache. Thanks for pointing that out. I look forward to getting the PHP 5.2.6, though! When do you think that'll come?

But ya, I think it's more or less just a joke.

I mean seriously, HACKER SAFE has softer requirements than PCI, and you see all those HACKER SAFE decals all over the place, where in truth its all BS. I am actually HACKER SAFE compliant, just not PCI. Odd.... And to get that HACKER SAFE decal you have to pay about 2.5 times more money. What a joke!

Cheers,
T

Tue, 05/06/2008 - 16:42
tfunk

Ya, I think I'll take my chances with getting an exception on the apache issue, and wait until the PHP update comes out.

Joe, any idea when the PHP 5.2.6 update will roll?

Cheers,
T

Thu, 05/08/2008 - 07:40
tfunk

well, they took off the excessive ports issue, and the apache version issue. I might as well just ask for them to remove the PHP version issue then, huh? If it was that easy ;)

Then I can be &quot;compliant&quot;. Yay! As if it means a whole hell of a lot.

T

Thu, 05/08/2008 - 15:39
tfunk

That did it. I am now PCI compliant. Oh yay! ;)

T

Wed, 05/21/2008 - 03:01
colinkent

Hi

I am just going thro the PCI at the moment. an out of the box install only showed 4 medium priority items that i need to change to get compliant!

1. restrict recursive queries to the hosts that should use this name server??? i asume in the ACL i add the ip addresses of the systems i want to connect to it??

2. disable SSL 2.0 and use SSL 3.0 or TLS 1.0 - I cannot see anywhere i can change this with in the settings??

3. make sure all forms are sent and received over SSL - html issue!

4. Reconfigure services to avoid the use of weak ciphers - hay what???

anyone got any ideas????

Colin

Sun, 05/25/2008 - 13:48
max

In the &quot;install scripts&quot; part of VM pro I want to install the shopping cart &quot;Magento&quot; but the install says I need php 5.2

Is there a way to selectively install php 5.2 without a full virtualmin upgrade (which is already up to date anyway)

How do I install the official php 5.2 package providd by VM? Is there one?

Thanks,
Max

Wed, 05/28/2008 - 06:11 (Reply to #25)
sgrayban

I answered the SSL v2.0 in your bug report colinkent

Fri, 08/29/2008 - 14:49
SteveHeinsch

We just got a new CentOS 5.2 server running current vmpro. I don't see an option to upgrade to php 5.2.x? Is it available for CentOS 5.2? php 5.1.6 shows up in the VM updates as the latest and its provided by centos.

Thanks,
Steve

Fri, 08/29/2008 - 15:17 (Reply to #27)
Joe
Joe's picture

We don't provide the PHP 5 packages on CentOS 5 (it already has PHP 5, and we don't replace packages unless absolutely necessary), and the &quot;bleeding edge&quot; repository I discussed has not been launched yet (and I'll never recommend people use it...it'll just be there for people who absolutely cannot stand running the version shipped by their OS). ;-)

--

Check out the forum guidelines!

Mon, 08/24/2009 - 09:22
keyvan

I have been reading these posts in which the last one was dated 1 year ago. Any updates on being able to run PHP 5.2 on centos without breaking it?

Its getting difficult to run anything now with php 5.1.6 I have a bunch of Joomla extensions that just wont run on php 5.1.6 and explicitly require 5.2.x

I have tried manually updating php5 with remi packages on a test server but it always just falls to bits.

Any way of doing this to a production server? Can't even get it to work on a test server :(

Mon, 08/24/2009 - 09:27 (Reply to #29)
andreychek

Well, there is a bleeding edge CentOS PHP 5.2.x package.

Of course, the default PHP that comes with CentOS is what's recommended and best tested -- but if you need a more recent version, the bleeding edge one seems to work fine for most folks.

You can get more info on that here:

https://www.virtualmin.com/documentation/id%2Cvirtualmin_bleeding_edge_p...

Sat, 09/26/2009 - 13:35
bwade30

Any word on this? My new webmin/virtualmin install on centos still shows 5.1.6. 5.2.11 is out and cpanel is totally on top of it in their updates. It would be nice if webmin upgraded to at least 5.2.anything.... Let us know what's up.

Sat, 09/26/2009 - 20:33 (Reply to #31)
andreychek

Version 5.1.6 is the latest provided by CentOS.

You can use the Virtualmin Bleed Repository, which provides PHP 5.2.9 as of now:

https://www.virtualmin.com/documentation/id%2Cvirtualmin_bleeding_edge_p...

If you require a newer version, I'd suggest filing a request using the Support link above.

-Eric

Topic locked