I have a fully patched CentOS 5.5 server that is failing the Trustwave PCI compliance scan. The items it is complaining about is openssl < 0.9.8.o.
rpm -q openssl shows:
openssl-0.9.8e-12.el5_5.7
The apache header banner shows:
Server: Apache/1.3.41 (Unix) PHP/5.2.14 mod_psoft_traffic/0.2 mod_ssl/2.8.31 OpenSSL/0.9.8b mod_macro/1.1.2
(note: that apache banner is not even showing the the installed version)
openssh and php have a similar situation (reported version is less than the minimum for PCI compliance).
Do I need to build all these libraries from source to get them on the latest version? Or is there a way to tell CentOS yum to install the new version instead of their back-ported patched version? I'd rather not go outside yum if possible so future maintenance will be simplified
Best Answer
All PCI scans do a version check based on headers and then they complain about the thirty or so problems you've got. What they don't take into account is that security fixes are backported to RHEL packages. As long as you're running the latests packages you should be fine. What you have to do after a failed scan is open a ticket to contest the results. Then you have to show what version is really installed
Then you have to dig through the rpm changlog to find each CVE instance they mentioned.
Where you're find things like this:
Finally you should link to the relevant link on Redhat's site to show it's been addressed since no one on the PCI scan side is actually going to look at an RPM.
https://www.redhat.com/security/data/cve/CVE-2009-3555.html
You'll probably go back and forth a few times and then finally you'll get a clean bill of health if you are actually updated. Once you've finished make sure to put all the support docs on your wiki since the PCI scan will reset every quarter or so and remove any mention of the information you provided and you'll need to do this again.