Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

LTS releases are great. I only use LTS releases on my servers. Problem is, if you need PCI compliance (credit card industry requirements, largely making no sense), some credit card processors will tell you to work with companies like SecureMetrics, who "audit" systems.

SecureMetrics will scan your system, find an "old" ssh version and flag you for non-compliance, even though your ssh was actually patched through LTS maintenance. You will then need to address all the vulnerabilities they think you have and provide "proof" that you are running a patched version (I've been asked for screenshots…).





That’s normal in any compliance process, and why you typically want to vet the vendor that does the compliance monitoring. And auditor (some auditors are really overzealous).

Took us a while to find the right ones.

reply


If you use Braintree as your payment processor (something I would not recommend), you get SecureMetrics as your PCI auditor.

Even worse, someone is overzealous, because you will get SecureMetrics on your back even if you are below the PCI thresholds.

reply


_if_ you're using ubuntu,

there's the CVE tracker you can use to ~argue~ establish that the versions you're using either aren't affected or, have been patched.

https://ubuntu.com/security/cves

https://ubuntu.com/security/CVE-2023-28531

reply


that said, we've also had the same auditor ask us to remove the openssh version upon telnet (which by RFC 4253, is not possible)

so ymmv

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: