There hasn't been a new version released since last year, but there has been at least one ISPConfig 3 release since then. Is ISPConfig 2 still being updated? I'd really like to get the system up to date, particularly as PCI compliance checks are highlighting out-of-date software versions. Iain
Yes. A mature and stable software like ispconfig 2 does not need that many updates as a new software then ispconfig 3, so it makes just no sense that you compare the release cycles. There will be updates available until we announce the end of the updates. So please do not ask every few months until when we release updates.
In that case, my question is a little different. When I ran a PCI Compliance check against a site hosted on the server, the scan tool (McAfee) said that some to the software is out of date. It mentioned the versions of Apache and PHP as well as some other software. Aptitude update / safe-upgrade does not bring newer versions, and I am left wondering why not.
Thats really easy to answer and not related to ispconfig at all. The software of your webserver is from debian or Ubuntu, the linux distributions patch software without increasing the version numbers for compatibility reasons. So Tools like McAffee can not work on Linux. Just install all Debian updates and your system is safe.
PCI Compliance difficulties You know that, and I think that, but how to convince the banks of that? McAfee claims to offer a free PCI scanning service. They seem to think that because the latest apache is 2.2.15, any system running 2.2.9 is at risk. Without a certificate saying that the system is PCI compliant, the banks make things very difficult for online merchants. After all, they may lose thousands of millions of pounds and need helping out by the taxpayers - oh, no, that's the banks! Seriously, I do believe that my system is secure and up-to-date, but I want to make sure I'm on solid ground before arguing with the bankers.
Please see here: http://www.ducea.com/2006/06/16/apache-tips-tricks-hide-php-version-x-powered-by/ to disable version information in PHP and then add the following directives in the apache httpd.conf file: Code: ServerSignature Off ServerTokens Prod to disable version information there too.
