Page 1 of 1
Apache 2.2.16
Posted: Mon Aug 30, 2010 3:29 pm
by daffoml
I need to pass a PCI audit, and it is failing on my apache version, I have 2.2.3-43.el5.centos
Is there an atomic version of the latest, or is that not in the atomic repo?
This is a Cent 5.5 / Plesk 9.52 system, by the way.
The PCI audit wants to see 2.2.15
Thanks
Re: Apache 2.2.16
Posted: Mon Aug 30, 2010 5:38 pm
by scott
That is a false positive, you can refer them to this:
http://www.redhat.com/security/updates/ ... c_cid=3093
That being said, we're considering adding httpd to the repo.
Re: Apache 2.2.16
Posted: Mon Aug 30, 2010 5:51 pm
by mikeshinn
Also, if you are running ASL it will not report the apache version to the scanner so you wont run into this problem with PCI-DSS scanners and will pass.
Re: Apache 2.2.16
Posted: Mon Aug 30, 2010 9:28 pm
by daffoml
mikeshinn wrote:Also, if you are running ASL it will not report the apache version to the scanner so you wont run into this problem with PCI-DSS scanners and will pass.
I thought I had that set in the httpd.conf by using the ServerSignature Off.
Re: Apache 2.2.16
Posted: Mon Aug 30, 2010 9:59 pm
by daffoml
Thank you, I will try that route.
Re: Apache 2.2.16
Posted: Tue Aug 31, 2010 3:56 pm
by mikeshinn
I believe ServerSignature Off. doesnt actually hide the version or if it does, it doesnt do it very well.