Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 1723 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

8.302 release

vannyx
hello everyone i see a 8.302 soft release listed in a sticky. 

does this release have the apache 2.22 patch that will allow astaro to pass a pci scan ? 

ive emailed support and they said it would be out today and they have not answered me yet. 

I have two devices that expire in 5 days and if i dont have this patch management wont allow me to renew it as it doesn't comply with PCI. 

any useful information on the patch would be helpful.


This thread was automatically locked due to age.
  • 0
    As far as I know, the 8.302 patch only includes a fix for PPPOE login for certain DSL providers -- they pushed back the fixes originally scheduled for 8.302 (probably including the patch you are asking about) into 8.303.  You probably should contact your Astaro / Sophos partner and see what they can do for you regarding your pending expiration.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    Oh... look here as well:  https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/28389

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    we have been promised this from support for at least 2 times already. 

    we need to be PCI compliant and we will be forced to replace astaro with a lessor cisco ASA because its considered to be more bullet proof.  

    i know we are a small customer we only have 4 gateways but i figured that they would have patched this by now.

    for some companies this is considered a serious issue. 

    https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/40507
  • 0
    I think the planned date for 8.302 is mid April and this should include the fix to CVE-2012-0053

    V9 in planned for GA around June and it will have the fix 

    PS This is not the official response from support but my understanding on the issue [:)]
  • 0
    pci scans aren't useful in the case of a hardened apache on a firewall.  the pci scans only go by version number and do not take into account the security hardening that vendors put into the installed versions.  What you need to do is get someone who knows the internals(like a partner) to talk to the auditor..this is something that can be worked around with a knowledgeable partner and an intelligent auditor.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    Hey Vannyx,

    Second William's comment. I see this topic routinely come up on the CentOS Linux mailing list and they have similar issues as the upstream vendor they recompile from routinely back-ports patches into earlier versions of certain services.

    PCI scans only indicate to the scanner that there is a possible security risk. It's up to the human behind the scan to be aware of this and verify the system is correctly patched.

    [rant]
    The best advice I heard on that list was, if your PCI auditing firm is dumb enough only go based on the scans, you really should be looking for another firm. I know of firms out there that do PCI audting and don't have a single IT person on staff, the 'auditor' is an accountant who dabbles in IT. Not to knock accountants, I worked in the field briefly, but to do this properly you need an IT background, preferably one in security.[;)]
    [/rant]
  • 0 in reply to wingman
    I think the planned date for 8.302 is mid April and this should include the fix to CVE-2012-0053

    V9 in planned for GA around June and it will have the fix 

    PS This is not the official response from support but my understanding on the issue [[:)]]


    Wingman, they "renumbered" the up2dates after some Swisscom DSL customers had issues -- 8.302 is nothing more than a PPPOE patch (way to small to include an Apache RPM)... 8.303, indeed, is supposed to be hitting "soft-release" status sometime this month though, and it is my understanding that the Apache patch will be included in that one.

    These other gentlemen have also covered well why the lack of existence of this one patch is not really a show-stopper, in real life, no need for me to yammer on about it [[:)]]

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Cookie Information Banner