Submitted by izoox on Wed, 10/07/2009 - 10:52
Now the pci scans are saying I need to upgrade to apache 2.2.12 before I can pass the tests. What is the best way to go about this, I don't want to waste virtualmin's time. But I also don't want to install something that is incompatible and mess things up. It's so nice to keep things up to date through a package manager.
Status:
Closed (fixed)
Comments
Submitted by andreychek on Wed, 10/07/2009 - 11:08 Comment #1
A PCI scan should never require that you change to a version of Apache that's not provided by your distro.
While they do check the version of your software, and request that you run the latest version -- if you tell them that you're running CentOS/RHEL, which backports security fixes to the Apache versions they provide, your PCI scanning company can label that as a false positive, and will allow the scan to pass.
I highly recommend against running a custom version of Apache, and any reasonable security company should allow for a false positive in your case (assuming your running the latest version available to your distro).
Submitted by izoox on Thu, 10/22/2009 - 15:56 Comment #2
Sorry for the delayed response. Thank you, I guess I misunderstood what they were asking me. I told them pretty much what you said, and they marked it as a false positive.