Greetings everyone! Does anyone here have PCI audits being done on their Debian boxes? The company I work for uses TrustKeeper and the one Debian box I've managed to get my boss to allow keeps failing unjustly. Usually they fail us due to version strings only (Saying anything less than the latest version is insecure [hah!]), and when I appeal that, they fail us for reasons that don't even affect us. In the latest test, they failed our Debian server citing:
http://security-tracker.debian.org/tracker/CVE-2009-2699 http://security-tracker.debian.org/tracker/CVE-2009-3095 http://security-tracker.debian.org/tracker/CVE-2009-3094 The first is self explanatory, and as for mod_proxy_ftp, I don't even have that loaded. My boss doesn't trust anything besides RedHat, and this is not helping at all. I'm going to be calling TrustKeeper today and see if I can talk to anyone about this. Also I know I'm not alone in the world thinking that backporting security fixes is much more secure than installing the latest versions. Right? Thanks for your time, Matt This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under law. If you are not the intended recipient(s), you are notified that the dissemination, distribution, or copying of this message is strictly prohibited, and that this message should be deleted from your system. The Free Lance-Star Publishing Company accepts no liability for the content of this message, or for the consequences of any actions taken on the basis of the information provided. If you receive this message in error, or are not the named recipient(s), please notify the sender and delete the document from your computer. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org