We’re trying to achieve PCI compliance here but it appears our audit service doesn’t like our Apache version 2.2.3, they say it is prone to cross-site scripting attack and that we should upgrade Apache. We checked out and there’s no Apache 2.2.14 on the available repos, so we’ll probably install from a fedora RPM or build it ourselves (or hire someone from the server farm to do it).
The question is, on upgrading apache, can we break virtualmin or it uses another apache installation for itself? We just don’t want to upgrade the webserver and somehow loose our beloved control panel.
I have some remembrance of virtualmin being somewhat selfcontained and thus not affected by such updates but I thought I should ask.
Thanks in advance for any help, this product is a life and sanity saver for us.
Andre is on our web team and I asked him to post this for us. He’s taking a short break to get away from Rio and head for the country while Carnival rages on Brazil, so, I’m dropping in here hoping to inspired and answer.
Our server is with ServePath in San Francisco. We asked support at the data center if they would upgrade Apache on our box for us. They replied that they could, but since 2.2.14 does not appear in the available repos at VirtualMin, they surmise that possibly, after upgrading Apache to 2.2.14, that VirtualMin will not longer function properly.
So, they asked us to ask you.
Howdy – sorry for the delayed response, I could have sworn I answered this the other day… either I’m losing my mind, or it got eaten by the new spam filters here. Either is entirely possible
I answered your request in the ticket tracker though:
You can follow up there if you have furthr questions.
The information requested would be useful for other people too. Will upgrading Apache to a later version than is in the VirtualMin repo break Virtualmin or have any other undesirable effects?
Some of those bug reports seem fickle about who’s able to access them
In case you can’t see the comment in the bug report, I’ll paste it in down here:
Virtualmin should work just fine with all versions of Apache 2.2.x.
In your case – PCI is an interesting animal when combined with CentOS/RHEL.
Although the version of Apache provided by CentOS and RHEL appears to be older – that’s just an illusion for triggering red flags with PCI tests
CentOS and RHEL backport all security fixes into the version of Apache that they ship.
So it appears older, but really it’s fully up to date and secure.
PCI scanning companies know this though… for any test such as this that raises red flags, you should be able to tell them that it’s a false positive.
My suggestion is to not change to a non-standard Apache version, either go with the one your distro or Apache provides – and to explain to your PCI company that you’re fully up to date, and that they’re seeing a false positive.