[CentOS] libvirt security update CVE-2011-1146

Fri Apr 29 16:10:09 UTC 2011
Johnny Hughes <johnny at centos.org>

On 04/29/2011 04:53 AM, Riccardo Veraldi wrote:
> Hello,
> I ask here if CentOS has a xml oval repository. This is the reason of my
> question:
> 
> Actually I have an automatic system to check CVE vulnerabilities report
> against RedHat OVAL resources, for example:
> https://www.redhat.com/security/data/oval/com.redhat.rhsa-2011.xml   for
> 2011 CVEs and RHSAs related OVALS
> 
> My problem is that while the mechanism works flawlessly regarding
> Scientific Linux, with CentOS I have false positives reports
> because the patch level numbers for some rpms is somewhat different from
> the one written in the official RedHat OVALS.
> 
> I make an example to explain myself better:
> 
> Consider CVE-2011-0020 which corresponds to RHSA-2011:0180-1 security
> advisory and it regards a pango vulnerability.
> 
> RedHat calls the updated rpm which addresses the vulnerability as
> pango-1.14.9-8.el5_6.2
> 
> CentOS calls it as pango-1.14.9-8.el5.centos.2
> 
> so we have:
> 
> pango-1.14.9-8.el5_6.2  in the RedHat OVALS while CentOS has
> pango-1.14.9-8.el5.centos.2 and I think they both addresses the
> CVE-2011-0020 vulnerability
> but since the naming is different I have a report that my pango RPM on
> CentOS is vulnerable, while on SL with same rpm I have no false
> positives and everything is ok.
> 
> So i ask if CentOS has it's own OVAL xml files because I cannot use i na
> realiable way the RedHat OVALS with CentOS for my porpouses.
> 

No, we don't have that .. and we can't "screen scrape" the Red Hat
content and make our own.

While the Red Hat source files are Open Source (Usually GPL, but also
other licenses) and we can rebuild their SRPMS ... their "Customer
Portals" are NOT open source.  In fact, here is the terms for using
their "Customer Portals":

http://www.redhat.com/legal/legal_statement.html

"Red Hat either owns the intellectual property rights in the HTML, text,
images audio, video, software or other content that is made available on
this website, or has obtained the permission of the owner of the
intellectual property to make it available on this website. Red Hat
strictly prohibits the redistribution or copying of any part of this
website or content on this website without written permission from Red
Hat. Red Hat authorizes you to display on your computer, download and
print pages from this website provided: (a) the copyright notice appears
on all such printouts, (b) the information will not be altered, (c) the
content is only used for personal, educational and non-commercial use,
and (d) you do not redistribute or copy the information to any other
media."

Also this one:

https://access.redhat.com/site/help/terms_conditions.html

Use of Content.

Red Hat grants you a personal, non-assignable license to use Red Hat
Content for your own internal use while you are a Red Hat Customer (as
defined in Section 2 above). Distributing any portion of Red Hat Content
to a third party, using any Red Hat Content for the benefit of a third
party or using Red Hat Content in connection with software other than
Red Hat Software under an active Red Hat subscription are all
prohibited. Red Hat authorizes you to display on your computer,
download, play and print the Red Hat Content provided: (a) the copyright
notice is not removed, (b) Red Hat Content is not be altered, (c) Red
Hat Content is used only for your personal, educational and
non-commercial use in support of your active valid subscriptions to Red
Hat products and services and in accordance with your Customer
Agreement, (d) you do not further redistribute or copy Red Hat Content
and (e) you comply with any Additional Terms. In the event of a
conflict, inconsistency or difference between this Section 6 and the
terms of a License or Customer Agreement, the License or Customer
Agreement will control (for example, for Red Hat Content licensed under
a Creative Commons License, you will have the rights set forth in the
applicable Creative Commons License). If you exceed your authorized use
of Red Hat Content (for example, if you use Red Hat Content in support
of Software for which you do not have an active valid subscription), you
may be required under your Customer Agreement to purchase additional
subscriptions to Red Hat products. In addition, your right to continue
to access Red Hat Content from a Red Hat Portal is subject to your
continued compliance with these Terms of Use, your Customer Agreement
and the Additional Terms.

=================================================================

What this means is that we can NOT screen scrape, download, or otherwise
use content from the Red Hat website as a "Template" to then modify can
generate modified copies of that content ... BECAUSE ... content is NOT
software and the Red Hat content is NOT open source.

This is also why we do not duplicate the whole content from security
advisories.  We can point you at it, we can not grab it and modify it
and then republish it.  The centOS Project takes copyright and
intellectual properly rights very seriously.


Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20110429/015b62e2/attachment-0005.sig>