PCI 2.2.3-53.el5.centos.3

Support for security such as Firewalls and securing linux
Post Reply
broberts
Posts: 7
Joined: 2009/10/05 22:29:14

PCI 2.2.3-53.el5.centos.3

Post by broberts » 2012/03/02 19:51:45

Running CentOS release 5.7 (Final) and getting a fail for PCI due to CVE-2012-0053 (RHSA-2012:0128). I see this is patched into CentOS6. Any ideas about CentOS 5?

Thanks in advance!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PCI 2.2.3-53.el5.centos.3

Post by TrevorH » 2012/03/03 01:42:29

There's a newer version of httpd included in CentOS 5.8 which should be here RSN, perhaps even as soon as early next week.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

PCI 2.2.3-53.el5.centos.3

Post by pschaff » 2012/03/04 03:48:06

Being a QA tester...
[code]# cat /etc/redhat-release
CentOS release 5.8 (Final)
# rpm -q httpd
httpd-2.2.3-63.el5.centos.1.x86_64
# rpm -ql --changelog httpd | grep -C 5 CVE-2012-0053
* Thu Feb 23 2012 Johnny Hughes <johnny@centos.org> - 2.2.3-63.1.el5.centos
- Roll in CentOS Branding

* Wed Feb 08 2012 Joe Orton <jorton@redhat.com> - 2.2.3-63.1
- add security fixes for CVE-2012-0053, CVE-2012-0031, CVE-2011-3607 (#787596)
- remove patch for CVE-2011-3638, obviated by fix for CVE-2011-3639

* Wed Jan 04 2012 Joe Orton <jorton@redhat.com> - 2.2.3-63
- revert addition of LDAP nested group support (#546443)
[/code]

If you can't wait, grab [url=http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-63.el5_8.1.src.rpm]httpd-2.2.3-63.el5_8.1.src.rpm[/url] (must be an update - later than the 5.8 version - also there) and [url=http://wiki.centos.org/HowTos/RebuildSRPM]build your own[/url].

bill56
Posts: 1
Joined: 2012/03/14 14:19:22
Contact:

Re: PCI 2.2.3-53.el5.centos.3

Post by bill56 » 2012/03/14 15:05:38

Hello:

I still do not see httpd-2.2.3-63.el5.centos.1.x86_64 available. I am having the same issue with PCI compliance - they say I need the 63 version installed. I would rather not build my own http. Any idea of when this will be released?

Thanks, Bill

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: PCI 2.2.3-53.el5.centos.3

Post by pschaff » 2012/03/14 15:46:00

See http://bugs.centos.org/view.php?id=5596

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PCI 2.2.3-53.el5.centos.3

Post by TrevorH » 2012/03/14 16:31:46

I'm not sure I understand...

[code]
# rpm -q httpd
httpd-2.2.3-63.el5.centos.1.x86_64
[/code]

Just yum updated to that now.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: PCI 2.2.3-53.el5.centos.3

Post by pschaff » 2012/03/14 17:18:56

[url=http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-63.el5_8.1.src.rpm]httpd-2.2.3-63.el5_8.1[/url] is out there.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PCI 2.2.3-53.el5.centos.3

Post by TrevorH » 2012/03/14 21:48:59

Right, I missed the 8.1 on the end. You seem to have a reply on that bugzilla saying that .centos packages don't have the _x.1 suffix and checking the changelog for the current .centos package does list all the CVEs in your RHSA link.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: PCI 2.2.3-53.el5.centos.3

Post by pschaff » 2012/03/14 21:58:48

I was confused by the different version number, but the CentOS httpd-2.2.3-63.el5.centos.1 changelog does indeed match httpd-2.2.3-63.el5_8.1.

Post Reply