You need to get the actual audit report. Many auditors take advantage of
the easiest way to get exceptions for their reports by scanning for
versions of software, since vulnerabilities are discovered in version (for
example) 5.3 and then are known to exist in 5.2, 5.1, etc. By looking and
seeing you are not yet on 5.5 they can claims you are vulnerable to
everything pre-5.5 and give you a long list, using lots of pages of a
document, and seeming to earn lots of money.
The problem is that version numbers are nothing more than integers, and
enterprise distributions of Linux like SUSE Linux Enterprise backport
fixes into older version numbers. This is done so that when you get the
latest patches of SLES you get fixes, even those from future versions of
packages like PHP, but without getting potentially less-stable code from
new features in PHP. The result is that auditors who cannot actually test
for vulnerabilities but can only test for certain versions of software are
not valuable and are not giving you accurate information, other than “Your
package version is older than something new.” which of course you know and
is irrelevant to anything security-related.
On the other hand, if their tests actually attempted to exploit
vulnerabilities and were able to somehow then there should be bugs open
with SUSE to backport those fixes into current code, where applicable.
Usually the easiest way to reconcile this type of thing is to get the CVE
numbers of the applicable vulnerabilities from the auditor. If they
cannot provide those, fire them for incompetence. Once you have the CVE
numbers you can check SUSE’s vulnerabilities website, or the PHP package’s
changelog (rpm -q --changelog packageName) and see if the fixes are
present. Chances are good that they are since there are teams devoted to
maintaining these packages in this way for these very reasons.
There are regularly questions in the SLE forums on this topic; feel free
to review those for similar information and to help move toward the truth
of the situation.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…