Re: Centos security update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
> Hi,
> 
> I was using CentOS 7 and when I ran some custom commercial security scan on
> my machine, I found about 122 vulnerabilities.
> 
> Can you help me on how to get security upgrades on top of my existing
> CentOS?
> 
> # cat /etc/redhat-release
> CentOS Linux release 7.1.1503 (Core)
> 
> Thanks for the help.
> 

You will need to address each individual issue as one event an track it.

Most security software for ubuntu does not understand the concept of Red
hat backporting:

https://access.redhat.com/security/updates/backporting/

Therefore, to check CentOS or RHEL properly for security issues, the
software need to be designed to understand what version of a package
that Red hat fixed an issue in via their backport .. not how it was
fixed in the main upstream project code.

As an example, here is CVE-2014-0226:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226

Red Hat fixes that in these updates:

EL5 and EL6:
https://rhn.redhat.com/errata/RHSA-2014-0920.html

EL7:
https://rhn.redhat.com/errata/RHSA-2014-0921.html

That means, because of backporting, this issue is fixed in:

EL5:
httpd-2.2.3-87.el5_10.src.rpm

EL6:
httpd-2.2.15-31.el6_5.src.rpm

EL7:
httpd-2.4.6-18.el7_0.src.rpm


If you look at the apache web page for vulnerabilities for httpd 2.2
(http://httpd.apache.org/security/vulnerabilities_22.html) and if you
you search for CVE-2014-0226 you will find it is fixed in version 2.2.28
upstream .. but Red Hat fixed it in versions 2.2.3-87 and in version
2.2.15.

If your software thinks that in order to be protected for CVE-2014-0226
that you need version 2.2.28 opr higher apache, then your software kicks
out a fail in EL5 if you have version httpd-2.2.3-87 .. but it is NOT a
fail.  So, bottom line, your software has to know how Red Hat did
backports for EL via backporting or it will give false positives.

The same is true for EL7 too .. apache fixes CVE-2014-0226 in 2.4.10 ..
Red Hat fixes it in httpd-2.4.6-18.el7_0 .. software needs to know
2.4.10 is not needed because of a backport.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux