PCI Compliance Scan Fail: lighttpd

  • I have a client who is failing a PCI compliance audit.  One of the points of failure is because lighttpd is not version 1.4.34 or higher.

    The client is currently running 2.1.2-RELEASE (i386).  According to the scan, the current version of lighttpd is version 1.4.32.  Do later versions of pfSense upgrade lighttpd?

    I have another client with 2.1.4-RELEASE (x64) but I don't know how to tell the version of lighttpd to see if it's updated in the newest release.


  • 2.1.4 has the latest 1.4.35. There are a number of other security issues in 2.1.2, maybe an automated scanner wouldn't find, but need to upgrade to 2.1.4 regardless.

  • Thank you for the info, it's greatly appreciated!

Log in to reply