To be compliant with PCI standards (Payment Card Industry), a merchant is supposed to have at least Apache 2.2.8, and at least PHP 5.2.5.

I think this is the lamest thing ever.

Anyway, I might as well figure out how to upgrade the two packages. I currently have Apache 2.2.3 and PHP 5.1.6.

Am I limited to upgrades given via the auto upgrade feature of Virtualmin, or can I perform upgrades on my own? I'm very savvy about how to go about it, perhaps if there was a URL someone could point me to I'd be set.

Lastly, are there any gotchas I need to be aware of?

Thanks!
T

Someone has to know how to update httpd and PHP?

Cheers,
T

So, the PCI standards do not take into account fully patched versions of these packages from the OS vendors? So...RHEL 5 is not PCI compliant, despite being one of the most secure systems available (likewise Debian 4)? I think this shows a pretty striking lack of awareness on the part of the folks drafting the guidelines.

BTW-We have a solution coming soon for the PHP update issue for our most popular platforms--we will provide PHP 5.2.6 for CentOS 5, at least. We will never bump rev on Apache beyond what is provided by the vendor...so you'll need to build your own (which will probably end up less secure in the end since managing upgrades is so much harder on a built-from-source installation).

BTW2-Note I said PHP 5.2.6. 5.2.5 has security vulnerabilities, unless patched. ;-)

Thanks Joe! I am a paying customer, anyway ;)

I guess I'll have to file an exception, as it's the most fully patched version of apache. Thanks for pointing that out. I look forward to getting the PHP 5.2.6, though! When do you think that'll come?

But ya, I think it's more or less just a joke.

I mean seriously, HACKER SAFE has softer requirements than PCI, and you see all those HACKER SAFE decals all over the place, where in truth its all BS. I am actually HACKER SAFE compliant, just not PCI. Odd.... And to get that HACKER SAFE decal you have to pay about 2.5 times more money. What a joke!

Cheers,
T

The other reason I'm not PCI compliant is because I have "excessive" open ports, which means 10 or more. I mean seriously, who came up with 10? I should get an exception, though, for that because it's "by design". Whatever! ;)

T

The other reason I'm not PCI compliant is because I have "excessive" open ports, which means 10 or more. I mean seriously, who came up with 10?

They count the number of open ports? Seriously? Wow. I think from now on, if I see some sort of PCI logo on a site I will be more suspicious of their security than if I don't. ;-)

If you absolutely, positively must have these updates, you might look into using Jason Litka's excellent repository, which includes patched PHP 5.2.5, httpd 2.8 and MySQL 5.0.58

Not supported or recommended by the folks here, of course, but very useful if you must have a very up-to-date CentOS.

http://www.jasonlitka.com/yum-repository/changelog/

You'll need to do a bit of research to figure out how to enable and use his repos, and your following yum update will be scary as it'll replace a load of packages and modules. Caveat Emptor... but I've had very good luck with it and he does seem serious about changes and updates.

Time Will Tell... hopefully he continues his good work, it is much appreciated by those who use his repos and builds.

Also some advice on patching 5.2.5's security issue here:
http://www.jasonlitka.com/2007/11/16/upgrading-to-php-525-on-rhel-and-centos/#comment-20591

Not supported or recommended by the folks here

It's not not recommended, either. ;-)

But, as you say, we can't possibly support packages that we don't provide or aren't from the standard OS sources. We have our hands full supporting our own packages plus the ones from CentOS, Debian, Ubuntu, Fedora, etc.