[Pauldotcom] CVE-2009-3555 and PCI Compliance
tkrabec at gmail.com
Mon Dec 21 14:54:29 UTC 2009
I'd say try that in a lab then see what happens & sell the fix back to the
On Mon, Dec 21, 2009 at 5:09 AM, Monkey Daemon <
monkeywebdaemon at googlemail.com> wrote:
> Hi All,
> I've been speaking to a family member over the weekend who works in a
> similar line of work to myself and we got to talking about PCI
> He's just had a quarterly scan performed and he failed it owing to the
> issues with Session Negotiation when using SSL/TLS. The problem he
> has is that he's running Linux and not only has his distro not
> released packages for OpenSSL 0.9.8l but the distro vendor is refusing
> to issue a patch stating that as its an issue with the underlying
> protocol there is no point.
> Does anyone have a fix to this other than "compile your own SSL with
> negotiation switched off and hope nothing breaks"?
> I'm now concerned that when our scan comes around early next year we
> will also fail.
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pauldotcom