[quote]
broberts wrote:
Thanks Phil, what you say makes sense and it is going to cause ongoing pain.
The main point of my original post was to see if other CentOS 5 users had some thoughts on addressing the problems I see. It sounds like CentOS 6 may help a reasonable amount as baseline version of apache is substantially newer, but maybe I should be looking at a distro that does things differently.[/quote]
I do pass PCI with CentOS 5 - that's blind reading of the requirements. Reality is a bit different... but as already quoted you need to contact TUV if you encounter problems or get a consultant to do preliminary scan. CentOS team cannot help you.
CentOS 5.6 and PCI Compliance
Re: CentOS 5.6 and PCI Compliance
While Red Hat does say they don't consider this a vulnerability, they do supply a patch:
http://www.redhat.com/security/data/cve/CVE-2007-6203.html
"However, this has been fixed in Red Hat Enterprise Linux 5 via RHBA-2009:0185 as a bug fix."
I am having the same problem as the original poster - PCI scan does not care if the vender doesn't view this a vulnerability. So my question is - is there a a reason that RHBA-2009:0185 can't be applied to a CENTOS box? If it can't, where is the documentation that says it can't?
http://www.redhat.com/security/data/cve/CVE-2007-6203.html
"However, this has been fixed in Red Hat Enterprise Linux 5 via RHBA-2009:0185 as a bug fix."
I am having the same problem as the original poster - PCI scan does not care if the vender doesn't view this a vulnerability. So my question is - is there a a reason that RHBA-2009:0185 can't be applied to a CENTOS box? If it can't, where is the documentation that says it can't?
Re: CentOS 5.6 and PCI Compliance
The patch referenced in that bugzilla - httpd-2.0.52-escaperrs.patch - is included in the latest CentOS httpd source RPM so it appears that this was fixed a long time ago and there's no mention of it in the changelog.