Re: libvirt security update CVE-2011-1146

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hello,
I ask here if CentOS has a xml oval repository. This is the reason of my question:

Actually I have an automatic system to check CVE vulnerabilities report against RedHat OVAL resources, for example:
https://www.redhat.com/security/data/oval/com.redhat.rhsa-2011.xml   for 2011 CVEs and RHSAs related OVALS

My problem is that while the mechanism works flawlessly regarding Scientific Linux, with CentOS I have false positives reports
because the patch level numbers for some rpms is somewhat different from the one written in the official RedHat OVALS.

I make an example to explain myself better:

Consider CVE-2011-0020 which corresponds to RHSA-2011:0180-1 security advisory and it regards a pango vulnerability.

RedHat calls the updated rpm which addresses the vulnerability as pango-1.14.9-8.el5_6.2

CentOS calls it as pango-1.14.9-8.el5.centos.2

so we have:

pango-1.14.9-8.el5_6.2  in the RedHat OVALS while CentOS has pango-1.14.9-8.el5.centos.2 and I think they both addresses the CVE-2011-0020 vulnerability
but since the naming is different I have a report that my pango RPM on CentOS is vulnerable, while on SL with same rpm I have no false positives and everything is ok.

So i ask if CentOS has it's own OVAL xml files because I cannot use i na realiable way the RedHat OVALS with CentOS for my porpouses.

thank you very much

Rick



On 4/28/11 4:17 PM, Johnny Hughes wrote:
On 04/28/2011 07:47 AM, Riccardo Veraldi wrote:
Hello,
I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6 which
addresses CVE-2011-1146
<https://www.redhat.com/security/data/cve/CVE-2011-1146.html> vulnerability
is not yet available while for example it is on Scientific Linux.
Is there any particular reason why the above rpm update is still not
available on mirrors ?

This was pushed, it just had a .el5 instead of .el5_6 dist tag, so it
looks older than the other update.  Corrected and repushed.

Thanks,
Johnny Hughes

_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux