PCI scan compliance - CentOS + cPanel

[cyberiadmin]

I have a cPanel box running centos. Everything latest and fully updated. (Just instilled)

Then i run a PCI compliance scan across my server and it found many issues. Some issues found are the following:

• Security hole found on port/service "general/tcp" - OpenSSL Version - CVE-2007-4995
• Apache UserDir - know how to fix with cPanel
• ISC BIND 9 DNSSEC Cache Poisoning - Upgrade to BIND 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2 or later. - CVE-2009-4022
• http TRACE XSS attack - CVE-2003-1567 CVE-2004-2320
• Deprecated SSL Protocol Usage - Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
• Weak Supported SSL Ciphers Suites
• Ruby on Rails Session Fixation Vulnerability - Upgrade to Ruby on Rails version 1.2.6 or later and make sure
  'config.action_controller.session_options[:cookie_only]' is set to 'true' in the 'config/environment.rb' file. CVE-2007-5380 CVE-2007-6077
• SSL Medium Strength Cipher Suites Supported
• OpenSSH < 4.4 Multiple GSSAPI Vulnerabilities
• And more

How would i go about fixing this?
I have tried but failed with updating BIND.
I have tried a yum update list and yum update. But no updates are found.
I have tried googling for fixes, i have not found any thing that fixes BIND.

I tired to update bind by using:

Code:

gzip -d -c openssl-0.9.8l.tar.gz | gtar xvf -
cd openssl-0.9.8l
./config
make
make install
alias cp=cp
cp -f /usr/local/ssl/bin/openssl /usr/bin/openssl
cd /usr/local/include
mv openssl openssl.old
ln -s /usr/local/ssl/include/openssl openssl

Then cpanel says:

Code:

named (9.7.0b3)	failed

Note i had to remove via RPM the base named 9.4.x, that was installed by cpanel. So that cPanel would see the new version. I have also tried updating to BIND 9.4.3-P4.

This was found by http://www.hackerguardian.com/hackerguardian.

I will also be trying to get https://www.mcafeesecure.com. Has any one got either PCI compliance on there server. If so how did you update your server?

Any help on this issue, i would be very tankful for.

Thanks

[sirdopes]

Check the changelog of the rpm. Many patches are backported and the dnssec cach poisoning is probably patched. It is also not an issue if you are not using dnssec on your server.

[txspaderz]

• Security hole found on port/service "general/tcp" - OpenSSL Version - CVE-2007-4995
• Apache UserDir - know how to fix with cPanel
• ISC BIND 9 DNSSEC Cache Poisoning - Upgrade to BIND 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2 or later. - CVE-2009-4022
• http TRACE XSS attack - CVE-2003-1567 CVE-2004-2320
• Deprecated SSL Protocol Usage - Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
• Weak Supported SSL Ciphers Suites
• Ruby on Rails Session Fixation Vulnerability - Upgrade to Ruby on Rails version 1.2.6 or later and make sure
  'config.action_controller.session_options[:cookie_only]' is set to 'true' in the 'config/environment.rb' file. CVE-2007-5380 CVE-2007-6077
• SSL Medium Strength Cipher Suites Supported
• OpenSSH < 4.4 Multiple GSSAPI Vulnerabilities
• And more

1) Upgrade OpenSSL
2) Disable Userdir in VHOST (UserDir disabled)
3) Make sure your BIND version is fully up to date via Yum. Check the changelog and make sure that the CVE is listed.
4) Fixing this one is sometimes a mod_security issue, or an issue with your script actually being vulnerable.
5) Get rid of SSL2 ciphers inside httpd.conf
6) Same as #5
7) Upgrade Ruby (/scripts/installruby)
8) Same as #5 & #6
9) Upgrade OpenSSH.

[cyberiadmin]

3) Make sure your BIND version is fully up to date via Yum. Check the changelog and make sure that the CVE is listed.

I have done a yum list updates and yum update. While it is still the same version. How do i check for CVE?

Thanks