According to the CentOS-CR-Announce list, there is recently an update for httpd in CentOS 5 CR repo. But the announcement http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.h... refers to upstream RHBA-2011-1067, which is the version released with 5.7 base packages. Upstream has an update for CVE-2011-3192 whose announcement is RHSA-2011-1245, and this update of httpd has version number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo (2.2.3-53.el5.centos). Maybe there should be another update for httpd in CentOS 5 CR repo. BTW, any update on C6.1 (or 6.0 CR packages)?
Regards.
On 07/09/11 05:20, dfrg.msc wrote:
According to the CentOS-CR-Announce list, there is recently an update for httpd in CentOS 5 CR repo. But the announcement http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.h... refers to upstream RHBA-2011-1067, which is the version released with 5.7 base packages. Upstream has an update for CVE-2011-3192 whose announcement is RHSA-2011-1245, and this update of httpd has version number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo (2.2.3-53.el5.centos). Maybe there should be another update for httpd in CentOS 5 CR repo. BTW, any update on C6.1 (or 6.0 CR packages)?
Regards.
Please see this extremely lengthy thread for an explanation as to why this is confusing:
http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html
You can not go by the package name-version-release string alone as CentOS change this. Try examining the changelog and look for the above CVE's.
On Wed, Sep 7, 2011 at 7:38 AM, Ned Slider ned@unixmail.co.uk wrote:
On 07/09/11 05:20, dfrg.msc wrote:
According to the CentOS-CR-Announce list, there is recently an update for httpd in CentOS 5 CR repo. But the announcement http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.h... refers to upstream RHBA-2011-1067, which is the version released with 5.7 base packages. Upstream has an update for CVE-2011-3192 whose announcement is RHSA-2011-1245, and this update of httpd has version number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo (2.2.3-53.el5.centos). Maybe there should be another update for httpd in CentOS 5 CR repo. BTW, any update on C6.1 (or 6.0 CR packages)?
Regards.
Please see this extremely lengthy thread for an explanation as to why this is confusing:
http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html
You can not go by the package name-version-release string alone as CentOS change this. Try examining the changelog and look for the above CVE's.
I think the sender was meaning about the RHBA/RHSA numbers. If the referred CR package contains both the RHBA-2011-1067 and RHSA-2011-1245 I think they should be both present in the body of the announce message, so also the link: http://rhn.redhat.com/errata/RHSA-2011-1245.html
Gianluca
BTW: +1 for the question about CentOS 6.1 and 6.0CR updates..
On Wed, 7 Sep 2011 09:22:49 +0200 Gianluca Cecchi gianluca.cecchi@gmail.com wrote:
Gianluca
BTW: +1 for the question about CentOS 6.1 and 6.0CR updates..
On an earlier thread KB mentioned that status updates would be made to the dev qa page only: http://qaweb.dev.centos.org/qa/
There's a comment to the CentOS 6.1 status update message from Thurs 1 Sept from Fabian A. that says CentOS 6.1 current status : 16 packages still don't built/link like they should. So no installable tree/ISO is currently available for the QA team to test. no ETA for that
I have the page bookmarked.
Cia W.
On Wed, Sep 7, 2011 at 5:53 PM, Cia Watson wrote:
On an earlier thread KB mentioned that status updates would be made to the dev qa page only: http://qaweb.dev.centos.org/qa/
There's a comment to the CentOS 6.1 status update message from Thurs 1 Sept from Fabian A. that says CentOS 6.1 current status : 16 packages still don't built/link like they should. So no installable tree/ISO is currently available for the QA team to test. no ETA for that
I have the page bookmarked.
I have that page constantly opened in a dedicated tab too... but I cannot post comments on that page... can I register for this? In my opinion packages that are iso blockers don't necessarily mean a block for 6.0 CR realization but probably it depends on which kind of packages have problems... information that I don't have... If I understood correctly its aim, CR generation should have a little higher priority than perfect/final installable iso... or not?
Gianluca
2011/9/7 Ned Slider ned@unixmail.co.uk:
On 07/09/11 05:20, dfrg.msc wrote:
According to the CentOS-CR-Announce list, there is recently an update for httpd in CentOS 5 CR repo. But the announcement http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.h... refers to upstream RHBA-2011-1067, which is the version released with 5.7 base packages. Upstream has an update for CVE-2011-3192 whose announcement is RHSA-2011-1245, and this update of httpd has version number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo (2.2.3-53.el5.centos). Maybe there should be another update for httpd in CentOS 5 CR repo. BTW, any update on C6.1 (or 6.0 CR packages)?
Regards.
Please see this extremely lengthy thread for an explanation as to why this is confusing:
http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html
You can not go by the package name-version-release string alone as CentOS change this. Try examining the changelog and look for the above CVE's.
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
I understand. So there is already CVE-2011-3192 rpms uploaded to CentOS 5 CR repo, but no announcement posted yet.
Am 07.09.2011 um 15:11 schrieb dfrg.msc:
2011/9/7 Ned Slider ned@unixmail.co.uk:
On 07/09/11 05:20, dfrg.msc wrote:
According to the CentOS-CR-Announce list, there is recently an update for httpd in CentOS 5 CR repo. But the announcement http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.h... refers to upstream RHBA-2011-1067, which is the version released with 5.7 base packages. Upstream has an update for CVE-2011-3192 whose announcement is RHSA-2011-1245, and this update of httpd has version number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo (2.2.3-53.el5.centos). Maybe there should be another update for httpd in CentOS 5 CR repo. BTW, any update on C6.1 (or 6.0 CR packages)?
Regards.
Please see this extremely lengthy thread for an explanation as to why this is confusing:
http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html
You can not go by the package name-version-release string alone as CentOS change this. Try examining the changelog and look for the above CVE's.
I understand. So there is already CVE-2011-3192 rpms uploaded to CentOS 5 CR repo, but no announcement posted yet.
Thats correct:
rpm -qp --changelog http://mirror.centos.org/centos-5/5/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos... | head
-- LF
On Wed, Sep 7, 2011 at 5:27 PM, Leon Fauster wrote:
Thats correct:
rpm -qp --changelog http://mirror.centos.org/centos-5/5/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos... | head
If a CentOS package contains aggregated upstream sequentially provided corrections, I think it is desirable to have all of the related RHSA/RHBA/RHEA links mentioned in the body of the related CentOS announce mail message. Just my opinion to provide better service.
Gianluca
On 09/07/2011 04:33 PM, Gianluca Cecchi wrote:
On Wed, Sep 7, 2011 at 5:27 PM, Leon Fauster wrote:
Thats correct:
rpm -qp --changelog http://mirror.centos.org/centos-5/5/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos... | head
If a CentOS package contains aggregated upstream sequentially provided corrections, I think it is desirable to have all of the related RHSA/RHBA/RHEA links mentioned in the body of the related CentOS announce mail message. Just my opinion to provide better service.
A CentOS rpm only contains exactly what was in the corresponding srpm released upstream. The only changes are to branding.
- KB
On Wed, Sep 7, 2011 at 6:31 PM, Karanbir Singh wrote:
On 09/07/2011 04:33 PM, Gianluca Cecchi wrote:
On Wed, Sep 7, 2011 at 5:27 PM, Leon Fauster wrote:
Thats correct:
rpm -qp --changelog http://mirror.centos.org/centos-5/5/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos... | head
If a CentOS package contains aggregated upstream sequentially provided corrections, I think it is desirable to have all of the related RHSA/RHBA/RHEA links mentioned in the body of the related CentOS announce mail message. Just my opinion to provide better service.
A CentOS rpm only contains exactly what was in the corresponding srpm released upstream. The only changes are to branding.
Ok, so let us see if I have now understood:
1) RH EL 5.7 official has httpd 2.2.3-53.el5.ia64.rpm at 21/07 and link to https://rhn.redhat.com/errata/RHBA-2011-1067.html in announcement
2) CentOS 5.7 iso not released yet, but when released it will contain the same rpm (apart from branding things) as upstream and an e-mail announcement in centos-announce will contain same link as 1) so package name will be probably httpd-2.2.3-53.el5.centos.x86_64.rpm
3) upstream releases a further update to the package 2.2.3-53.el5_7.1.ia64.rpm at 31/08 and link to http://rhn.redhat.com/errata/RHSA-2011-1245.html
4) CentOS 5.6 CR has been released at 15/08 and at 01/09 releases a package named httpd-2.2.3-53.el5.centos.x86_64.rpm with the same link as 1) for RHBA because has been build from upstream 5.7 release and this will probably be the rpm presnet inside iso image BTW: the link Leon provided in his e-mail was to a next released CentOS httpd (notice the .1 in its name.. this was misleading for me... ;-)
5) On mirror under CR folder there are now (07/09): httpd-2.2.3-53.el5.centos.1.x86_64.rpm (dated 01/09??) httpd-2.2.3-53.el5.centos.x86_64.rpm (dated 05/09...)
[gcecchi@tekkaman ~]$ rpm -qp --changelog http://mirror.centos.org/centos-5/5.6/cr/x86_64/RPMS/httpd-2.2.3-53.el5.cent... | head warning: http://mirror.centos.org/centos-5/5.6/cr/x86_64/RPMS/httpd-2.2.3-53.el5.cent...: Header V3 DSA/SHA1 Signature, key ID e8562897: NOKEY * Sat Aug 20 2011 Karanbir Singh kbsingh@centos.org - 2.2.3-53.el5.centos - Roll in CentOS Branding
* Fri Jun 17 2011 Joe Orton jorton@redhat.com - 2.2.3-53 - mod_cache: add "hard" argument to CacheMaxExpire (#379811)
* Thu May 12 2011 Joe Orton jorton@redhat.com - 2.2.3-52 - mod_include: fix parsing across bucket boundaries (#698402)
* Fri Apr 15 2011 Joe Orton jorton@redhat.com - 2.2.3-50
(build date is "Build Date: Fri 19 Aug 2011 05:22:46 PM CEST")
[gcecchi@tekkaman ~]$ rpm -qp --changelog http://mirror.centos.org/centos-5/5.6/cr/x86_64/RPMS/httpd-2.2.3-53.el5.cent... |head warning: http://mirror.centos.org/centos-5/5.6/cr/x86_64/RPMS/httpd-2.2.3-53.el5.cent...: Header V3 DSA/SHA1 Signature, key ID e8562897: NOKEY * Thu Sep 01 2011 Karanbir Singh kbsingh@centos.org - 2.2.3-53.el5.centos.1 - Roll in CentOS Branding
* Wed Aug 31 2011 Joe Orton jorton@redhat.com - 2.2.3-53.1 - add security fix for CVE-2011-3192 (#733059)
(build date is "Build Date: Thu 01 Sep 2011 02:23:54 AM CEST")
SO I think that the CR announce at http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.h... contains only 5.7 rpm version, and correctly only the link to https://rhn.redhat.com/errata/RHBA-2011-1067.html
while the CR announce for httpd-2.2.3-53.el5.centos.1.x86_64.rpm has to be sent yet (at least to the archives of centos-cr-announce) and will contain the link http://rhn.redhat.com/errata/RHSA-2011-1245.html
and so it will be for a further announcement in official centos-announce mailing list when 5.7 and its official updates will be released. HIH clarification for other guys too...
On 09/07/2011 08:26 PM, Gianluca Cecchi wrote:
- On mirror under CR folder there are now (07/09):
httpd-2.2.3-53.el5.centos.1.x86_64.rpm (dated 01/09??) httpd-2.2.3-53.el5.centos.x86_64.rpm (dated 05/09...)
you are confusing yourself looking at an irrelevant metric ( date of last change ). If you really must use a datestamp to compare rpms, use the builddate for the package.
- KB
On 09/07/2011 08:26 PM, Gianluca Cecchi wrote:
while the CR announce for httpd-2.2.3-53.el5.centos.1.x86_64.rpm has to be sent yet (at least to the archives of centos-cr-announce) and will contain the link http://rhn.redhat.com/errata/RHSA-2011-1245.html
yes, you are right, that announcement didn't make it. I will check why that is.
- KB
2011/9/8 Karanbir Singh mail-lists@karan.org:
On 09/07/2011 08:26 PM, Gianluca Cecchi wrote:
while the CR announce for httpd-2.2.3-53.el5.centos.1.x86_64.rpm has to be sent yet (at least to the archives of centos-cr-announce) and will contain the link http://rhn.redhat.com/errata/RHSA-2011-1245.html
yes, you are right, that announcement didn't make it. I will check why that is.
- KB
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
Strangely, while announcement for 5.7 updates were all reposted to CentOS-Announce list, the announcement of CESA-2011:1245 is still missing on CentOS-Announce list now.
And any update on 6.0 CR at this point?
-
Cia Watson -
dfrg.msc -
Gianluca Cecchi -
Karanbir Singh -
Leon Fauster -
Ned Slider