Backporting and pci compliance software versions
Backporting is a practice of taking fixes that were applied to a newer version of a piece of software and applying those fixes to an older version of that same software. Sometimes the patch needs modification to work with the older software.
Backporting is done a lot in the world of linux distributions. A distribution stable repository will keep an older version of software long after a new version is released. They do this so that they can be sure there are no new bugs in the software release that will cause complications for all of it's users. In our world, security is a primary concern so the linux distributions will take new patches and apply them towards their older ( stable ) version of the software so that they can keep the benefits of an older version for stability, and get the benefits of the newer version for security.
However, this can cause confusion for things like pci compliance. Many pci compliance scans are based on the fact that a certain "older" version of software was vulnerable to a security bug, but the newer version is not. Backporting does not change the version of a piece of software. PCI scans will see that you have this older version of software and assume that you are still vulnerable to the security issue, however this may not be the case if the fix was backported. There is no way for the pci scan to inheritenly know that fix was backported to your installation. When this happens a server admin has two choices:
- Break out of the repository version supplied by the distribution
- Work with the PCI scan company to prove compliance because the software has a backported fix
I do not suggest going with decision #1. When you break out of the repository, you hamper your ability to do updates and dependency resolution across your installation. If you manually compile and install a piece of software outside of the repository, then it becomes your duty to maintain and update that software and any of the dependant packages. This can cause an excessive amount of work and make it difficult to stay up to date with your installation as you can no longer run updates from the distribution repository.