On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
Hi,
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
Can you help me on how to get security upgrades on top of my existing CentOS?
# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core)
Thanks for the help.
You will need to address each individual issue as one event an track it.
Most security software for ubuntu does not understand the concept of Red hat backporting:
https://access.redhat.com/security/updates/backporting/
Therefore, to check CentOS or RHEL properly for security issues, the software need to be designed to understand what version of a package that Red hat fixed an issue in via their backport .. not how it was fixed in the main upstream project code.
As an example, here is CVE-2014-0226:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226
Red Hat fixes that in these updates:
EL5 and EL6: https://rhn.redhat.com/errata/RHSA-2014-0920.html
EL7: https://rhn.redhat.com/errata/RHSA-2014-0921.html
That means, because of backporting, this issue is fixed in:
EL5: httpd-2.2.3-87.el5_10.src.rpm
EL6: httpd-2.2.15-31.el6_5.src.rpm
EL7: httpd-2.4.6-18.el7_0.src.rpm
If you look at the apache web page for vulnerabilities for httpd 2.2 (http://httpd.apache.org/security/vulnerabilities_22.html) and if you you search for CVE-2014-0226 you will find it is fixed in version 2.2.28 upstream .. but Red Hat fixed it in versions 2.2.3-87 and in version 2.2.15.
If your software thinks that in order to be protected for CVE-2014-0226 that you need version 2.2.28 opr higher apache, then your software kicks out a fail in EL5 if you have version httpd-2.2.3-87 .. but it is NOT a fail. So, bottom line, your software has to know how Red Hat did backports for EL via backporting or it will give false positives.
The same is true for EL7 too .. apache fixes CVE-2014-0226 in 2.4.10 .. Red Hat fixes it in httpd-2.4.6-18.el7_0 .. software needs to know 2.4.10 is not needed because of a backport.