PCI Compliance and PHP 5.x

Issues related to software problems
Post Reply
slawdaddy
Posts: 2
Joined: 2009/02/05 21:49:16
Contact:

PCI Compliance and PHP 5.x

Post by slawdaddy » 2009/02/05 22:06:22

I am currently running two CentOS 4.7 servers that need to be PCI (payment card industry) compliant. A vulnerability assessment was recently provided to me stating the version of PHP that needs to be running in order to be compliant was PHP 5.2.6 or newer and I am currently running 5.1.6. My questions are:

Has anyone else run into this issue and if so, how did you update, by installing from source or did you appeal to the security company?

I tried to install 5.2.6 from some 3rd party repo today but in the process of doing so it updated my version of apache and broke some module dependencies and also broke apache shortly afterwards. Any and all help is much appreciated!

Cheers,
Dave

NedSlider
Forum Moderator
Posts: 2887
Joined: 2005/10/28 13:11:50
Location: UK

PCI Compliance and PHP 5.x

Post by NedSlider » 2009/02/05 22:36:42

The version of PHP in CentOS will always remain the same (a fundamental part of an Enterprise-class OS) - security fixes are [b]backported[/b] to that version. See here for information on backporting:

http://www.redhat.com/advice/speaks_backport.html

You need to get the security auditing people to understand backporting of security fixes. They can not simply judge the security status of packages in RHEL/CentOS by version number alone. Ask them to audit your system for the specific vulnerabilities known to exist between 5.1.6 and 5.2.6 to determine if they are actually able to successfully exploit any of them - then, and only then can they declare that you are vulnerable. Any vulnerabilities known to affect the shipped product will have been backported. Note that not all fixes post 5.1.6 will necessarily have been backported as some may not affect the shipped version, only subsequent versions.

slawdaddy
Posts: 2
Joined: 2009/02/05 21:49:16
Contact:

Re: PCI Compliance and PHP 5.x

Post by slawdaddy » 2009/02/06 00:05:19

Thanks a ton NedSlider. I appreciate the information you've provided me with. I will move forward with your suggestion and report back if necessary. Enjoy!

NedSlider
Forum Moderator
Posts: 2887
Joined: 2005/10/28 13:11:50
Location: UK

Re: PCI Compliance and PHP 5.x

Post by NedSlider » 2009/02/06 01:58:29

No problem, and good luck. For some reason getting folks to understand the concept of backporting security fixes is incredibly difficult, and even more so in the case of auditors who aren't familiar with the concept or the product that they are auditing, but just want to tick a bunch of boxes and be done with it. I would refer them to the upstream documentation on the matter together with the relevant CVE and OVAL references pertaining to the allegedly vulnerabilities.

Post Reply