So, I've just had the plugged pulled by Braintree because apparently my server configuration doesn't meet the PCI (Payment Card Industry) standards.
MOST of this is due to outdated services running Sentora.. For example, here's one of the reasons.. which I DO NOT understand a word of.
or what about this:
Here's another example:
The results of this security scan provided by "Security Metrics" totalled a 41 page PDF file with TOO many vulnerabilities so they blocked my ability to make any transactions using my website(s).
You guys at Sentora seem so caught up in this issue with Suhosin, to the point where you're happy enough to just let us sit on an old OS with multiple out of date issues with no updates or support for years... what's going on guys? Are you even working on getting this service up and running again or not?
I need an answer, I cannot waste time waiting for this damn suhosin to get compiled which is CLEARLY is not going to happen, just sounds like an excuse to me.
If a "developer" from here wants the PDF let me know.. but you guys need to get this together, otherwise it's just a insecure, messy platform.
MOST of this is due to outdated services running Sentora.. For example, here's one of the reasons.. which I DO NOT understand a word of.
Quote:ISC BIND 9 < 9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 / 9.10.5-S3 / 9.11.1-P2 Multiple Vulnerabilities
Synopsis:
The remote name server is affected by multiple vulnerabilities.
Impact:
According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is 9.9.x prior to 9.9.10-P2 or 9.9.10-S3, 9.10.x prior to 9.10.5-P2 or 9.10.5-S3, or 9.11.x prior to 9.11.1-P2. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling received messages. An unauthenticated, remote attacker can exploit this, via a specially crafted request packet, to circumvent TSIG authentication of AXFR requests. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name. (CVE-2017-3142) - A flaw exists in the Transaction Signature (TSIG) authentication implementation when handling messages. An unauthenticated, remote attacker can exploit this to manipulate BIND into accepting an unauthorized dynamic update. Note that to exploit this issue the attacker must be able to send and receive messages to an authoritative DNS server and have knowledge of a valid TSIG key name for the zone and service being targeted. (CVE- 2017-3143) Note that SecurityMetrics has not tested for these issues but has instead relied only on the application's self-reported version number. See also : https://kb.isc.org/article/AA-01503 https://kb.isc.org/article/AA-01504 https://kb.isc.org/article/AA-01505 https://kb.isc.org/article/AA-01506 https://kb.isc.org/article/AA-01507 https://kb.isc.org/article/AA-01508 https://kb.isc.org/article/AA-01509
Resolution:
Upgrade to ISC BIND version 9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 / 9.10.5- S3 / 9.11.1-P2 or later.
Data Received: Installed version : 9.9.5-3ubuntu0.18-Ubuntu Fixed version : 9.9.10-P2 / 9.9.10-S3 / 9.10.5-P2 / 9.10.5-S3 / 9.11.1-P2
or what about this:
Quote:ProFTPD < 1.3.5b / 1.3.6x < 1.3.6rc2 weak Diffie-Hellman key
Synopsis:
The remote FTP server is affected by a Denial of Service vulnerability.
Impact:
The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of ProFTPD installed on the remote host is prior to 1.3.5b or 1.3.6x prior to 1.3.6rc2 and is affected by an issue in the mod_tls module, which might cause a weaker than intended Diffie-Hellman key to be used. See also : http://bugs.proftpd.org/show_bug.cgi?id=4230
Resolution:
Upgrade to ProFTPD version 1.3.5b / 1.3.6rc2 or later.
Data Received:
Version source : 220 ProFTPD 1.3.5rc3 Server (Sentora FTP Server) [::ffff:162.212.158.34] Installed version : 1.3.5rc3 Fixed version : 1.3.5b / 1.3.6rc2
Here's another example:
Quote:FTP Supports Cleartext Authentication
Synopsis:
Authentication credentials might be intercepted.
Impact:
The remote FTP server allows the user's name and password to be transmitted in cleartext, which could be intercepted by a network sniffer or a man-in-the-middle attack.
Resolution:
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that control connections are encrypted.
Data Received:
This FTP server does not support 'AUTH TLS'.
The results of this security scan provided by "Security Metrics" totalled a 41 page PDF file with TOO many vulnerabilities so they blocked my ability to make any transactions using my website(s).
You guys at Sentora seem so caught up in this issue with Suhosin, to the point where you're happy enough to just let us sit on an old OS with multiple out of date issues with no updates or support for years... what's going on guys? Are you even working on getting this service up and running again or not?
I need an answer, I cannot waste time waiting for this damn suhosin to get compiled which is CLEARLY is not going to happen, just sounds like an excuse to me.
If a "developer" from here wants the PDF let me know.. but you guys need to get this together, otherwise it's just a insecure, messy platform.
