From owner-freebsd-security@FreeBSD.ORG Mon Apr 26 11:18:52 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8CA21065676 for ; Mon, 26 Apr 2010 11:18:52 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 73A3B8FC15 for ; Mon, 26 Apr 2010 11:18:52 +0000 (UTC) Received: from 45.86.213.193.static.cust.telenor.com ([193.213.86.45] helo=[192.168.3.109]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1O6MKr-000Gnb-Mh; Mon, 26 Apr 2010 13:18:45 +0200 Mime-Version: 1.0 (Apple Message framework v1078) Content-Type: text/plain; charset=iso-8859-1 From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <4BD10D03.7010201@p6m7g8.com> Date: Mon, 26 Apr 2010 13:18:45 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <6079C36A-480B-42E6-8717-E9436EFC1130@anduin.net> References: <258059512.789871271827382221.JavaMail.root@mail-01.cse.ucsc.edu> <4BD10D03.7010201@p6m7g8.com> To: Philip M. Gollucci X-Mailer: Apple Mail (2.1078) Cc: Tim Gustafson , freebsd-security@freebsd.org Subject: Re: OpenSSL 0.9.8k -> 0.9.8l X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2010 11:18:52 -0000 On Apr 23, 2010, at 4:59 AM, Philip M. Gollucci wrote: > On 4/21/2010 1:55 AM, Eirik =D8verby wrote: >> It is a misconseption to think that one _has to_ run the latest = version (as suggested by dumb network scans) in order to remain = compliant (PCI DSS or otherwise). What is needed is that the issues = found are either patched or documented to be not applicable. > I completely agree; however, having just achieved PCI certification = for > $work in *this* month -- 2 different (unamed pci auditing firms) = refused > to accept openssl had been patched without version number changes. Then you should report this to the PCI council. Besides, a common problem with PCI DSS auditors is that they seem to = think that the PCI council are their clients, not you, and subsequently = treat you like trash. Fact is YOU are the client, you are paying for = their service, and you should be paying for their expertise - which is = often sorely lacking. After asking for a Unix-knowledgeable auditor, we got a guy who had to = ask - and required proof - that grep supported regular expressions.=20 > Kind of odd considering they said my httpd 2.2.14 was vunlerable to = the > windows mod_issapi cve on fbsd but accepted on face value that we = can't > possibly be since its not windows and not loaded. Yet the version # > didn't change here. >=20 > Additionally odd, they did accept that 2.2.14 disabled ssl = functionality > to prevent the issue though not fix it. Yet again the version # = didn't > change. This is as it should be. Though they seem to have arrived at this = conclusion through incompetency rather than through a pragmatic = approach. > Interestingly we have some other equipment that requires the client > renegotiation but b/c we are leasing it rather then own it, its out of > scope. At this point they are wrong as well. Our VLAN switches were within = scope (as they should be) even though they are simply a part of the ISP = service. We even had to cut off remote management for the switches in = order to ensure that the ISP could only manage them on-site and with our = approval and presence. > IMHO, its simply easier to always mod the version string in some way > rather then trying to argue with them. Wish I had thought about that one before ;) /Eirik=