[CentOS] CentOS 5 Security Updates
R P Herrold
herrold at centos.org
Thu Feb 24 19:28:08 UTC 2011
On Thu, 24 Feb 2011, Cal Webster wrote:
> java-1.6.0-sun
non FOSS, non-source provided, no? This is in an addon
channel in RHEL, and so far as I know we have never shipped
such
Of the others the wireshark update is a periodic update of
some edge case dissectors [these developers are quite good
about releasing time based 'fixes' for their tool -- a
different model than upstream, but perfectly valid], and if
nominally remotely exploitable, as a practical matter, not a
material threat
The kerberos update crossed vendor-sec, but seems again to be
an edge case hole
The pgsql update is nominally exploitable, but any sensible
environment uses iptables and network segment isolation rather
than adding a world listening daemon
I have commented earlier on my distress at the openjdk
update NOT crossing vendor-sec. This said, again, who in
their right mind exposes an unprotected Java listener
application to the wild?
I saw that another in the project mentioned 'bypassing' the
5.6 respin and testing delays for truly exploitable matter.
The potential 'bind' updates dos attack vector turned out not
to affect anything CentOS has shipped in base and updates, and
so was a 'false positive' as prior discusseio here has noted
If one wants SLA and deterministic intervals between
announcement and release, it is just not that hard to set up
one off building and updates from released sources upstream,
and so one can have it at the price of a little learning and
experimentation.
Alternatively, CentOS releases promptly on the usual norm, and
during 'point' update times, falls back to trying to avoid
'dependency skew' problems by considering the potential
disruption for millions of machines each needing manual
depsolving intervention, vs. getting the nest update build and
QA's and out the door in a durable fashion.
If that is not 'quick enough', see the prior paragraph about
self-building; or seek a vendor who will sell you the SLA you
deem you require. This is a simple 'build vs buy' decision
[I might note that I have seen NO filed bug in the CentOS
tracker asserting a need for any of the listed updates on an
expedited basis]
-- Russ herrold
More information about the CentOS
mailing list