Date: Mon, 26 Apr 2010 13:18:45 +0200 From: =?iso-8859-1?Q?Eirik_=D8verby?= <ltning@anduin.net> To: Philip M. Gollucci <pgollucci@p6m7g8.com> Cc: Tim Gustafson <tjg@soe.ucsc.edu>, freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l Message-ID: <6079C36A-480B-42E6-8717-E9436EFC1130@anduin.net> In-Reply-To: <4BD10D03.7010201@p6m7g8.com> References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> <D86F370E-98A5-41B1-97D5-F2CD98CE1716@anduin.net> <4BD10D03.7010201@p6m7g8.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 23, 2010, at 4:59 AM, Philip M. Gollucci wrote: > On 4/21/2010 1:55 AM, Eirik =D8verby wrote: >> It is a misconseption to think that one _has to_ run the latest = version (as suggested by dumb network scans) in order to remain = compliant (PCI DSS or otherwise). What is needed is that the issues = found are either patched or documented to be not applicable. > I completely agree; however, having just achieved PCI certification = for > $work in *this* month -- 2 different (unamed pci auditing firms) = refused > to accept openssl had been patched without version number changes. Then you should report this to the PCI council. Besides, a common problem with PCI DSS auditors is that they seem to = think that the PCI council are their clients, not you, and subsequently = treat you like trash. Fact is YOU are the client, you are paying for = their service, and you should be paying for their expertise - which is = often sorely lacking. After asking for a Unix-knowledgeable auditor, we got a guy who had to = ask - and required proof - that grep supported regular expressions.=20 > Kind of odd considering they said my httpd 2.2.14 was vunlerable to = the > windows mod_issapi cve on fbsd but accepted on face value that we = can't > possibly be since its not windows and not loaded. Yet the version # > didn't change here. >=20 > Additionally odd, they did accept that 2.2.14 disabled ssl = functionality > to prevent the issue though not fix it. Yet again the version # = didn't > change. This is as it should be. Though they seem to have arrived at this = conclusion through incompetency rather than through a pragmatic = approach. > Interestingly we have some other equipment that requires the client > renegotiation but b/c we are leasing it rather then own it, its out of > scope. At this point they are wrong as well. Our VLAN switches were within = scope (as they should be) even though they are simply a part of the ISP = service. We even had to cut off remote management for the switches in = order to ensure that the ISP could only manage them on-site and with our = approval and presence. > IMHO, its simply easier to always mod the version string in some way > rather then trying to argue with them. Wish I had thought about that one before ;) /Eirik=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6079C36A-480B-42E6-8717-E9436EFC1130>