OpenSSL 0.9.8k -> 0.9.8l

Eirik Øverby ltning at anduin.net
Mon Apr 26 11:18:52 UTC 2010


On Apr 23, 2010, at 4:59 AM, Philip M. Gollucci wrote:

> On 4/21/2010 1:55 AM, Eirik Øverby wrote:
>> It is a misconseption to think that one _has to_ run the latest version (as suggested by dumb network scans) in order to remain compliant (PCI DSS or otherwise). What is needed is that the issues found are either patched or documented to be not applicable.
> I completely agree; however, having just achieved PCI certification for
> $work in *this* month -- 2 different (unamed pci auditing firms) refused
> to accept openssl had been patched without version number changes.

Then you should report this to the PCI council.
Besides, a common problem with PCI DSS auditors is that they seem to think that the PCI council are their clients, not you, and subsequently treat you like trash. Fact is YOU are the client, you are paying for their service, and you should be paying for their expertise - which is often sorely lacking.

After asking for a Unix-knowledgeable auditor, we got a guy who had to ask - and required proof - that grep supported regular expressions. 


> Kind of odd considering they said my httpd 2.2.14 was vunlerable to the
> windows mod_issapi cve on fbsd but accepted on face value that we can't
> possibly be since its not windows and not loaded.  Yet the version #
> didn't change here.
> 
> Additionally odd, they did accept that 2.2.14 disabled ssl functionality
> to prevent the issue though not fix it.  Yet again the version # didn't
> change.

This is as it should be. Though they seem to have arrived at this conclusion through incompetency rather than through a pragmatic approach.


> Interestingly we have some other equipment that requires the client
> renegotiation but b/c we are leasing it rather then own it, its out of
> scope.

At this point they are wrong as well. Our VLAN switches were within scope (as they should be) even though they are simply a part of the ISP service. We even had to cut off remote management for the switches in order to ensure that the ISP could only manage them on-site and with our approval and presence.


> IMHO, its simply easier to always mod the version string in some way
> rather then trying to argue with them.

Wish I had thought about that one before ;)

/Eirik


More information about the freebsd-security mailing list