We just ran an external security scan from 403Labs against one of our servers (RHEL 6.3 x86_64) for PCI compliance and the results appeared to mainly dictate that we had a hand full of applications that needed to be upgraded to pass the scan.
That having been said, the problem I am encountering is that the package manager (yum) and the use of the remi repo do not have the versions I need for Apache and OpenSSH. I have already performed the following:
yum update
yum --enablerepo=remi,remi-test install httpd mysql mysql-server php php-common
This resolved our critical and high risk results, but the medium level results are still stating that we need to further upgrade the following packages.
The upgrades we need are:
Current Required
Apache 2.2.15 to >= Apache 2.2.23
OpenSSH 5.3 to >= 5.7
So, since the package manager is not capable of letting me upgrade to those versions, how must I go about doing this? I'm currently under the premise that I will need to install from source. If there's a better alternative, please indicate that.
Also, if I have no choice but to install from source, can someone please help me identify what the proper source packages would be so that I know I am installing the correct versions for my OS?
Thank you very much for any help.
Best Answer
Don't do that !
Before you step outside the OS vendor's support structure you should verify that this is the right thing to do.
Some PCI compliance tests will report that an application has vulnerabilities because it's reported version number is too low. This does not take into account backporting of security and bug fixes that many vendors employ.
For example (from an old Nessus scan) it declares that Apache supplied by CentOS is vulnerable if the version is <2.2.14. If you dig into the detail about what the vulnerabilities are then you discover CVE-2009-3095, CVE-2009-3094 etc.
Looking them up you discover that they have been fixed in current versions of of Apache supplies buy RH and thus CentOS.