Debian PCI Question
Greetings everyone!
Does anyone here have PCI audits being done on their Debian boxes? The
company I work for uses TrustKeeper and the one Debian box I've managed
to get my boss to allow keeps failing unjustly. Usually they fail us due
to version strings only (Saying anything less than the latest version is
insecure [hah!]), and when I appeal that, they fail us for reasons that
don't even affect us. In the latest test, they failed our Debian server
citing:
http://security-tracker.debian.org/tracker/CVE-2009-2699
http://security-tracker.debian.org/tracker/CVE-2009-3095
http://security-tracker.debian.org/tracker/CVE-2009-3094
The first is self explanatory, and as for mod_proxy_ftp, I don't even
have that loaded. My boss doesn't trust anything besides RedHat, and
this is not helping at all. I'm going to be calling TrustKeeper today
and see if I can talk to anyone about this.
Also I know I'm not alone in the world thinking that backporting
security fixes is much more secure than installing the latest versions.
Right?
Thanks for your time,
Matt
This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under law. If you are not the intended recipient(s), you are notified that the dissemination, distribution, or copying of this message is strictly prohibited, and that this message should be deleted from your system. The Free Lance-Star Publishing Company accepts no liability for the content of this message, or for the consequences of any actions taken on the basis of the information provided. If you receive this message in error, or are not the named recipient(s), please notify the sender and delete the document from your computer.
Reply to: