Debian Jessie, Apache2 and PCI Compliance

Discussion in 'Installation/Configuration' started by minimaLMind, Aug 2, 2016.

  1. minimaLMind

    minimaLMind New Member

    In order to pass Trustwave PCI Compliance, I need to upgrade Apache to at least 2.4.14. Is there an `IspConfig3` way of doing it? Or should I just compile it from source? Is it recommended to uninstall Apache2 using apt before compiling from source if I have to go that route?
     
  2. Jesse Norell

    Jesse Norell Active Member

    Probably depends a lot on what OS you're running / how you installed the current apache. Eg. on debian you'd likely have apache 2.2 because you're running an old release (eg. squeeze), so simply update to the current version (jessie) and you'd have 2.4 without any extra effort. If however you compiled/installed apache from source in the first place, then that's likely how you'd go about updating it as well.
    I would guess (though haven't done this) that it doesn't matter if you have an older version installed while you compile the new version; it would matter when you go to install the new version, ie. make sure all old libraries/modules/everything is cleaned up, config file paths/contents updated, etc. I'm sure a little searching google would fine some specific direction here.
     
  3. minimaLMind

    minimaLMind New Member

    He Jesse, I installed based mostly off the Perfect Server Debian 8 Jessie tutorial - this installs 2.4.10 -- But I think the issues are fixed (mod_lua vulnerabilities and other issues) in 2.4.14. I can't wait for the repos to catch up, my bank charges me fees for not being in compliance. I have installed Apache from source many times before, but not over the top of an apt install. I don't know if, when they do catch up, if they will overwrite my files and cause things to go down.
     
  4. Jesse Norell

    Jesse Norell Active Member

    looks like jessie-backports doesn't have it. If it were me, I'd probably look at taking the debian package source and just updating the apache version in that, so you still install from a package; or maybe swith to Ubuntu 16.04 (https://launchpad.net/ubuntu/xenial/ source/apache2)
     
  5. minimaLMind

    minimaLMind New Member

    till likes this.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I wondered already that Debian did not patch these issues. I guess it's a common problem with PCI compliance scans that they don't take into account that Linux Distributions are patching software while the major software version stays the same. In my opinion, from a security standpoint, updating a server with the tools of the Distribution is always better than compiling everything manually.
     
  7. minimaLMind

    minimaLMind New Member

    One more thing I'd like to add. In Monit (which is failing because of TLSv1), there is an SSL VERSION option which is in a later version than what is in 'stable'. I am able to jump ahead of the game using Backports https://wiki.debian.org/Backports.
     

Share This Page