-----Original Message----- From: Johnny Hughes Sent: Thursday, May 29, 2014 8:46
I want to be very clear on CVE's and the way they are tested at CentOS.
First, I want to ensure everyone knows that CentOS does NOT usually do any verification with respect to CVE issues. We build what Red Hat releases when they release it. Their security and engineering teams are the ones that research the problem, develop a plan, write code, build the new packages and test to verify that:
- There was a problem that needs fixing.
- The fix proposed actually fixes the vulnerability (in RHEL).
We then grab the released code after Red Hat publicly releases it and build it for CentOS.
What does this mean for CentOS users ... it means that YOU are responsible to test the there is no longer an issue in YOUR environment after you do the install. If you want a CERTIFIED fix that has been tested, that is what Red Hat provides in RHEL. The reason they charge a subscription price is because the do all this testing and they provide assurance that the issues are known, fixed, tested, and certified as mitigated.
All of that being said, If you are concerned with the Security aspects of an update, you have to have ALL updates before that one also installed.
E.g.
If you have an older glibc then why would you think that something that calls that library would necessarily be secure by adding an update to the Kernel.
All libraries (so ALL PREVIOUS PACKAGES), INCLUDING the package in question that fixes the CVE, need to be installed to be confident that you have mitigated a problem. This is CLEARLY stated on every Red Hat security page ... here is a quote from
an exemplar CVE from the upstream provider:
"Before applying this update, make sure all previously released errata relevant to your system have been applied."
You can't JUST install the package that has the CVE fix and leave everything else at an older level. Certainly if you do, you must validate that in THAT scenario (old packageZ, older packageY, new packageX). Even in RHEL, if you only install one Security update and none of the preceding updates, you would need to test that the issue was mitigated in that scenario as that would NOT have been tested or certified by any team.
<snip/>
To be clear, installing only Security Updates and not also all updates preceding that Security Update is not (nor has it ever been) recommended ... if you do it, you are not using a tested configuration. This is true of ANY operating system, not just CentOS.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.