CVE-2009-3555 and PCI Compliance

[eharrison at gmail.com (Erik Harrison)]

my work's been coping with the same sort of problem courtesy of redhat for a
while now - though, different CVEs specifically.

no real creative answer on our side of things, other than to patch to the
fixed version either by building our own packages, or using something like
iuscommunity.org's to save some time.

has anyone had luck arguing the case with vendors (for those that pay for
commercial support) and have a positive/patched result?

On Mon, Dec 21, 2009 at 5:09 AM, Monkey Daemon <
monkeywebdaemon at googlemail.com> wrote:

> Hi All,
>
> I've been speaking to a family member over the weekend who works in a
> similar line of work to myself and we got to talking about PCI
> Compliance.
>
> He's just had a quarterly scan performed and he failed it owing to the
> issues with Session Negotiation when using SSL/TLS.  The problem he
> has is that he's running Linux and not only has his distro not
> released packages for OpenSSL 0.9.8l but the distro vendor is refusing
> to issue a patch stating that as its an issue with the underlying
> protocol there is no point.
>
> Does anyone have a fix to this other than "compile your own SSL with
> negotiation switched off and hope nothing breaks"?
>
> I'm now concerned that when our scan comes around early next year we
> will also fail.
>
> Cheers,
>
> MWD.
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091221/d4baabd4/attachment.htm