OT: SCO 5 6.0.0 - cURL Binaries / upgrade

ken white kenwhite at verizon.net
Fri Mar 11 07:03:53 PST 2022 

I wonder what version of openssl is installed.   According to openssl.org
all versions prior to 1.1.1 are out of date and no longer supported.
Therefore if your software is dependent on openssl, I believe that versions
prior to 1.1.1 would be no longer be considered as PCI compliant.  Version
0.9.8 installed as a supplement for SCO 6.0.0  was EOL 2016.  Even version
1.1.1 has a few high severity CVE's listed which require patching.
Depending on the flavor of their PCI SAQ, the responsible party signing
their annual PCI SAQ should be very concerned.   
  
-----Original Message-----
From: Filepro-list
<filepro-list-bounces+kenwhite=verizon.net at lists.celestial.com> On Behalf Of
Fairlight via Filepro-list
Sent: Thursday, March 10, 2022 2:00 PM
To: filepro-list at lists.celestial.com
Subject: Re: OT: SCO 5 6.0.0 - cURL Binaries / upgrade

They don't have to jump for joy.  Is it a business requirement, or is it
someone's pet wishlist item?  If the former, it is what it is.  If the
latter, it's optional and can be given a pass.

Places can either afford to play ball in their industries, or not.  It's not
negotiable, any more than us needing internet service, and not wantiing to
pay for it, for instance.  It's not optional if you want the specified
result.  If it's what's required of the business, it's required.  That's how
'required' works.  Happiness doesn't enter into it.

God forbid someone need an ISO or SOX audit.  Those cost a mint, and I've
never known anyone who was 'happy' to absorb the price.
"Choiceless" is the best fitting adjective for situations like these.

Nobody should be on SCO these days, if they want to take advantage of any
open source software. libopenssl/libssl2 versions features vs restrictions
-alone- are a compelling case for getting off of SCO, nevermind the bigger
picture.  It's not a sustainable platform in today's security landscape,
-especially- the way Xinuous likes to do things.  You will almost always be
at least half a year to two years behind the curve, and God help you if a
zero day exploit is discovered, because -they're- certainly not going to
jump right on that.

m->


On Thu, Mar 10, 2022 at 12:07:20PM -0500, Jose Lerebours via Filepro-list
thus spoke:
> Thanks Mark!
> 
> Migrating to LINUX may be the next best thing - based on your reply, 
> it is the ONLY best thing.  ;-)
> 
> Not exactly what I was hoping to hear - I am sure they are not going 
> to jump of joy either!
> 
> Regards,
> 
> 
> On 3/10/22 11:26 AM, Fairlight via Filepro-list wrote:
> > The problem isn't curl itself.  The problem is that you need a 
> > sufficiently high OpenSSL version on the system against which curl 
> > can be compiled.
> > 
> > The only people who can truly help with this are Xinuous.  At one 
> > point a few years back, they were recommending an upgrade to their 
> > latest combo Unix platform, and had forward-looking plans to release 
> > just such an OpenSSL version (which by the time they would have 
> > gotten done would have been over six months behind reality).  They 
> > were only going to offer it for their latest version of OpenServer.
> > 
> > It was a bad bet to wait on them.
> > 
> > If you're serious about eCommerce, get them off SCO.  It's a dying 
> > platform for anything to do with security and interoperability.
> > 
> > OpenSSL is also notoriously bitchy to compile, especially on SCO.
> > 
> > Given a system with a usable devkit, I'd be willing to make the 
> > attempt, but it would -cost-, and not just a little.  $25k minimum 
> > for the attempt, succeed or fail; more on success.  That's how 
> > bitchy it tends to be, historically, and how much it would need to 
> > be made worth my time to even make the attempt in good faith, on a 
> > dead platform.  Anyone doing it for less is a fool, especially when 
> > you realise that it's going to support a credit card gateway system 
> > which will be the cornerstone of someone's business for years to 
> > come.  You get your money out of that up-front, because you'll never 
> > see another cent out of it afterwards, if you do it correctly.  At 
> > least not until the next mandatory TLS bump.  So how much do they 
> > -actually- want to do their credit card processing on SCO? :)
> > 
> > They're better off being migrated to Linux.  Barring that, no, it 
> > wouldn't (and shouldn't) be inexpensive.
> > 
> > m->
> > 
> > 
> > On Thu, Mar 10, 2022 at 10:01:01AM -0500, Jose Lerebours via
Filepro-list thus spoke:
> > > Waaaaay off topic but I have to ask:
> > > 
> > > I have a customer that is running on SCO 5 v6.0.0 and credit card 
> > > processing company will no longer accept TLS lesser than 1.2; it 
> > > appears that with that, we need to upgrade cURL from its current 
> > > version of 7.2.### to a more recent version.
> > > 
> > > Do any of you (a) have a copy of cURL that would care to share 
> > > (purchasing is an option BTW), (b) know of a link where said 
> > > binaries could be found.
> > > 
> > > Thank you all in advance for your assistance!
> > > 
> > > 
> > > --
> > > Jose Lerebours
> > > 954-559-7186
> > > https://www.asisuites.com
> > > Accounting - Retail - Wholesale - Distribution Manufacturing - 
> > > Warehousing - Transportation - eCommerce - Web Development
> > > 
> > > _______________________________________________
> > > Filepro-list mailing list
> > > Filepro-list at lists.celestial.com
> > > Subscribe/Unsubscribe/Subscription Changes 
> > > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > > 
> --
> Jose Lerebours
> 954-559-7186
> https://www.asisuites.com
> Accounting - Retail - Wholesale - Distribution Manufacturing - 
> Warehousing - Transportation - eCommerce - Web Development
> 
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes 
> http://mailman.celestial.com/mailman/listinfo/filepro-list
> 

--
Audi omnia, crede nihil.
_______________________________________________
Filepro-list mailing list
Filepro-list at lists.celestial.com
Subscribe/Unsubscribe/Subscription Changes
http://mailman.celestial.com/mailman/listinfo/filepro-list

More information about the Filepro-list mailing list