PaulDotCom mailing list archives
CVE-2009-3555 and PCI Compliance
From: tkrabec at gmail.com (Tim Krabec)
Date: Mon, 21 Dec 2009 09:54:29 -0500
I'd say try that in a lab then see what happens & sell the fix back to the vendor. On Mon, Dec 21, 2009 at 5:09 AM, Monkey Daemon < monkeywebdaemon at googlemail.com> wrote:
Hi All, I've been speaking to a family member over the weekend who works in a similar line of work to myself and we got to talking about PCI Compliance. He's just had a quarterly scan performed and he failed it owing to the issues with Session Negotiation when using SSL/TLS. The problem he has is that he's running Linux and not only has his distro not released packages for OpenSSL 0.9.8l but the distro vendor is refusing to issue a patch stating that as its an issue with the underlying protocol there is no point. Does anyone have a fix to this other than "compile your own SSL with negotiation switched off and hope nothing breaks"? I'm now concerned that when our scan comes around early next year we will also fail. Cheers, MWD. _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Tim Krabec Kracomp 772-597-2349 smbminute.com kracomp.blogspot.com www.kracomp.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091221/0f1fcb33/attachment.htm
Current thread:
- CVE-2009-3555 and PCI Compliance Monkey Daemon (Dec 21)
- CVE-2009-3555 and PCI Compliance Jack Daniel (Dec 21)
- CVE-2009-3555 and PCI Compliance genesiswave at gmail.com (Dec 21)
- CVE-2009-3555 and PCI Compliance Tim Krabec (Dec 21)
- CVE-2009-3555 and PCI Compliance Erik Harrison (Dec 21)
- CVE-2009-3555 and PCI Compliance Jack Daniel (Dec 21)