On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
> Hi,
>
> I was using CentOS 7 and when I ran some custom commercial security scan on
> my machine, I found about 122 vulnerabilities.
>
> Can you help me on how to get security upgrades on top of my existing
> CentOS?
The short answer: 'yum update'
The long answer: nearly all commercial scanners test via version number,
not actual vulnerabilities. You can take the list of 'vulnerable'
packages and the related CVEs and 'rpm -q <package> --changelog | grep
-i cve' to see that it's been addressed.
Alternatively, upstream maintains a cve database at
https://access.redhat.com/security/cve/ where you can search the CVE and
match related (or newer) versions.
I have a very long profanity-laden rant about commercial scanning
software and practices that I'll spare folks from. TL;DR it's all
terrible, and the vendors have little to no incentive for fixing it.
Note: we (CentOS) do not validate CVE closure separately. We rebuild
source provided by RH, assuming that they have done the due diligence.
--
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
