6

We run Ubuntu Lucid 10.0.4 as the foundation of our LAMP environment. We are trying to become PCI compliant so that we can pass CC info through our server. We have run some third-party scans on our servers to begin the certification process and have run into errors regarding PHP 5 versions and Apache versions. The latest PHP version hosted in our official lucid repository is about 10 versions lower than what PCI compliance requires.

How do we upgrade to stay current with PCI compliance requirements?

We need to get from php 5.3.2 to php 5.3.15

As well as up to apache 2.2.23

I've searched far and wide for an answer and haven't come up with a realistic answer. Some recommend compiling manually - which sounds like a nightmare, and others recommend a PPA - which sounds insecure. What should we do?

Community
  • 1
Jared Green
  • 71
  • 1
  • 6
  • What Michael Hampton said. Also, did the security scan give you the specific CVEs for the security issues? If so, check the Ubuntu changelog for the PHP packages. There should be indications of the backports that fix those specific issues, usually referenced by the CVE, i.e., look at https://launchpad.net/ubuntu/+source/php5/+changelog and you'll see that 5.3.2-1ubuntu4.18 fixes CVE-2012-2688. – cjc Oct 15 '12 at 00:49
  • 1
    PCI compliance - Yuck! a legal minefield. – hookenz Oct 15 '12 at 02:31

1 Answers1

12

Enterprise Linux distributions deal with this by backporting security fixes from the new version to the original version to which your distribution is locked. You install the updated system packages containing the backported security fixes, and note this in your report to the compliance vendor.

Each report you receive of a potential security vulnerability should include a CVE number. Look up this number in Ubuntu Security Notices (see also Red Hat CVE for RHEL/CentOS) to determine the updates that your system needs.

As a side note, if you are running a PHP-based web site, you often want bug fix updates in addition to security fixes. The distros almost never distribute bug fix updates unless they cause crashes or security problems, and sometimes not even then. In this case it's often wiser to use a PPA that tracks your desired PHP version (e.g. 5.3 or 5.4) instead of the system packages.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Michael gave the perfect answer. When our auditor comes he wants to make sure we are subscribing to the errata for the distro's we have in production. He will then ask to see an email and match up a version on the server to that email to make sure we are applying the updates. – Mike Oct 15 '12 at 02:25
  • I go through this quarterly for one of my clients. – Michael Hampton Oct 15 '12 at 02:53