So the same goes with openssh-server ? Having trouble finding the same page for it.
Best Regards, John Gates, CISSP *Let’s Connect!* <https://twitter.com/johngatesIII> <http://www.linkedin.com/in/JohnGates> *This email may contain information that is confidential or attorney-client privileged and may constitute inside information. The contents of this email are intended only for the recipient(s) listed above. If you are not the intended recipient, you are directed not to read, disclose, distribute or otherwise use this transmission. If you have received this email in error, please notify the sender immediately and delete the transmission. Delivery of this message is not intended to waive any applicable privileges.* On Sun, Nov 6, 2016 at 6:42 PM, John Gates <dima...@dimante.net> wrote: > Thanks. This is helpful.. Sadly though PCI-DSS compliance scanners look > for the daemon version and when they see the vulnerable version it flags it > without further checks. It looks like there are many cve's that have not > been corrected... There are no change dates on anything listed either > which also causes confusion. > > Best Regards, > > John Gates, CISSP > > *Let’s Connect!* > > <https://twitter.com/johngatesIII> > <http://www.linkedin.com/in/JohnGates> > > *This email may contain information that is confidential or > attorney-client privileged and may constitute inside information. The > contents of this email are intended only for the recipient(s) listed above. > If you are not the intended recipient, you are directed not to read, > disclose, distribute or otherwise use this transmission. If you have > received this email in error, please notify the sender immediately and > delete the transmission. Delivery of this message is not intended to waive > any applicable privileges.* > > On Sun, Nov 6, 2016 at 3:36 PM, Stefan Fritsch <s...@sfritsch.de> wrote: > >> On Sunday, 6 November 2016 09:27:18 CET John Gates wrote: >> > I have a server that needs to stay PCIDSS compliant and it is >> complaining >> > that apache 2.4.10 is running... When is an update going to be >> > available... Do I have to compile my own Apache version? Seems odd >> that >> > stability is favored over security... Please advise. >> >> Debian back-ports individual security fixes, not complete new upstream >> versions. See https://www.debian.org/security/faq#oldversion >> >> An overview over the security issues that have been fixed in apache2 is >> available via >> >> https://security-tracker.debian.org/tracker/source-package/apache2 >> >> >
