Re: Centos security update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
> Hi,
> 
> I was using CentOS 7 and when I ran some custom commercial security scan on
> my machine, I found about 122 vulnerabilities.
> 
> Can you help me on how to get security upgrades on top of my existing
> CentOS?

The short answer: 'yum update'

The long answer: nearly all commercial scanners test via version number,
not actual vulnerabilities. You can take the list of 'vulnerable'
packages and the related CVEs and 'rpm -q <package> --changelog | grep
-i cve' to see that it's been addressed.

Alternatively, upstream maintains a cve database at
https://access.redhat.com/security/cve/ where you can search the CVE and
match related (or newer) versions.

I have a very long profanity-laden rant about commercial scanning
software and practices that I'll spare folks from. TL;DR it's all
terrible, and the vendors have little to no incentive for fixing it.



Note: we (CentOS) do not validate CVE closure separately. We rebuild
source provided by RH, assuming that they have done the due diligence.



-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux