[CentOS] Centos security update

Fri Apr 24 13:09:01 UTC 2015
Johnny Hughes <johnny at centos.org>

On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
> Hi,
> 
> I was using CentOS 7 and when I ran some custom commercial security scan on
> my machine, I found about 122 vulnerabilities.
> 
> Can you help me on how to get security upgrades on top of my existing
> CentOS?
> 
> # cat /etc/redhat-release
> CentOS Linux release 7.1.1503 (Core)
> 
> Thanks for the help.
> 

You will need to address each individual issue as one event an track it.

Most security software for ubuntu does not understand the concept of Red
hat backporting:

https://access.redhat.com/security/updates/backporting/

Therefore, to check CentOS or RHEL properly for security issues, the
software need to be designed to understand what version of a package
that Red hat fixed an issue in via their backport .. not how it was
fixed in the main upstream project code.

As an example, here is CVE-2014-0226:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226

Red Hat fixes that in these updates:

EL5 and EL6:
https://rhn.redhat.com/errata/RHSA-2014-0920.html

EL7:
https://rhn.redhat.com/errata/RHSA-2014-0921.html

That means, because of backporting, this issue is fixed in:

EL5:
httpd-2.2.3-87.el5_10.src.rpm

EL6:
httpd-2.2.15-31.el6_5.src.rpm

EL7:
httpd-2.4.6-18.el7_0.src.rpm


If you look at the apache web page for vulnerabilities for httpd 2.2
(http://httpd.apache.org/security/vulnerabilities_22.html) and if you
you search for CVE-2014-0226 you will find it is fixed in version 2.2.28
upstream .. but Red Hat fixed it in versions 2.2.3-87 and in version
2.2.15.

If your software thinks that in order to be protected for CVE-2014-0226
that you need version 2.2.28 opr higher apache, then your software kicks
out a fail in EL5 if you have version httpd-2.2.3-87 .. but it is NOT a
fail.  So, bottom line, your software has to know how Red Hat did
backports for EL via backporting or it will give false positives.

The same is true for EL7 too .. apache fixes CVE-2014-0226 in 2.4.10 ..
Red Hat fixes it in httpd-2.4.6-18.el7_0 .. software needs to know
2.4.10 is not needed because of a backport.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20150424/462bad2e/attachment-0005.sig>