various Vulnerabilities?

[Ceyarrecks]

Greetings and Well Met ANTIonline!

I realize these questions may intially be broad in their scope, but it is that scope in which I seek understanding.

I would first like to detail a bit of history before I get into my Question(s):

I am a member of my church's Web Page Ministry, and we are beginning (have begun) the ground-work for a new home for the church's domain. We have already chosen the hoster.

With the possible choices before us for the OS of the server to host the church's domain of either Windows2k3 or a *nix flavor.
I want to know, from the community's experience, what VULNERABILITIES exist in BOTH OS's implementations of:

PHP v5.1.4 & v4.4.2
SQL (my)v4.1 & v5.0 ; (M$)v7 & 2000/2005
SSH v3.2 v5.2 (OpenSSH? lost its FIPS cert? is this important?)
SSL v0.9.x ; (NS)v3.0 ; (M$) Exch Srv 07

(I should think this is the majority of concerns for anyone who hosts a website)

the hoster we will use stated they have these:

* unix (v.2.6.15.6) php 4.4 mysql 4.1.

* win2k3 .NET 2k3

I realize the propensity will lean towards OSS, which is fine by me, but I need detailed information for both sides as I will need to explain the reasoning behind choosing OSS. I need pros/cons about both win and nix implementations. (my experience if heavy in client systems, negligible in server)

I want to thank this group in advance, your help and point(s) of view will be most appreciated.

p.s.
I have attempted to use various security related sites in attempts to answer these Q on my own (bugtrak, sans, here) yet while I can find a million references to PHP + vulnerabilities, etc. what I have not found is the understanding gained from one who uses *nix/win.
So thank you again for your help in this.

p.p.s.

mayhaps what I am asking can also be what the community uses for their webpage/hosting server OS, what services they employ (ecommerce, php, forums, etc.) (?)

[SirDice]

what VULNERABILITIES exist in BOTH OS's implementations of

The Changelogs of the respective applications should reveal the information.
As for any MS software: http://www.microsoft.com/security

Usually the source is basicly the same and, as a consequence, so are the bugs.

That said, I do know running PHP and/or Apache on a windows machine does have it's own quirks. This is because PHP and Apache are case-sensitive and windows is not (when it comes to filenames).

One pro I could mention is OSS usually fixes bugs quicker. With MS software you would need to wait until "patch tuesday" each month.

[HTRegz]

Hey Hey,

I'd recommend going to SecurityFocus and searching their... You can search by version of software.... Also check out Mitre for CVE's... You can search the pages and see what you come up with... just pop in the various pieces of software... each one will usually have a link back to the vendor specific version page that will cover the vuln versions...

Peace,
HT

[Ceyarrecks]

thank you for your responses, it is good to have a focus on islands of information within the ocean of the 'net.