Sorry for cross posting between here and the GPL forums, but we own a professional license and I need an answer and it looks like you are swamped over there with GPL users' questions.
Andre is on our web team and I asked him to post this for us. He's taking a short break to get away from Rio and head for the country while Carnival madness rages on Brazil, so, I'm dropping in here hoping to inspire an answer.
As mentioned in the other post, we are working toward PCI compliance and one last vulnerability appears to be cross domain scripting attacks which can only be cured with an upgrade to Apache 2.2.14 (the last Apache upgrade pushed via VirtualMin was 2.2.3)
Our server is with ServePath in San Francisco. We asked support at the data center if they would upgrade Apache on our box for us. They replied that they could, but since 2.2.14 does not appear in the available repos at VirtualMin, they speculated that possibly, after upgrading Apache to 2.2.14, that VirtualMin will no longer function properly, and that it would be wise for use to ask you first.
As Andre says: we don't want to lose our beloved control panel functionality!
Thanks Sivakatirswami
Comments
Submitted by andreychek on Sat, 02/13/2010 - 20:12 Comment #1
Howdy -- Virtualmin should work just fine with all versions of Apache 2.2.x.
In your case -- PCI is an interesting animal when combined with CentOS/RHEL.
Although the version of Apache provided by CentOS and RHEL appears to be older -- that's just an illusion for triggering red flags with PCI tests :-)
CentOS and RHEL backport all security fixes into the version of Apache that they ship.
So it appears older, but really it's fully up to date and secure.
PCI scanning companies know this though... for any test such as this that raises red flags, you should be able to tell them that it's a false positive.
My suggestion is to not change to a non-standard Apache version, either go with the one your distro or Apache provides -- and to explain to your PCI company that you're fully up to date, and that they're seeing a false positive.
Submitted by katir on Sat, 02/13/2010 - 20:51 Pro Licensee Comment #2
answer for now and closed
Aloha, Eric:
OK, good, got it, I will see if we can get Security Metrics to fix the False Positive reports as a first step.
Cheers from Hawaii
Sivakatirswami