On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
Hi,
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
Can you help me on how to get security upgrades on top of my existing CentOS?
The short answer: 'yum update'
The long answer: nearly all commercial scanners test via version number, not actual vulnerabilities. You can take the list of 'vulnerable' packages and the related CVEs and 'rpm -q <package> --changelog | grep -i cve' to see that it's been addressed.
Alternatively, upstream maintains a cve database at https://access.redhat.com/security/cve/ where you can search the CVE and match related (or newer) versions.
I have a very long profanity-laden rant about commercial scanning software and practices that I'll spare folks from. TL;DR it's all terrible, and the vendors have little to no incentive for fixing it.
Note: we (CentOS) do not validate CVE closure separately. We rebuild source provided by RH, assuming that they have done the due diligence.