Hello, I ask here if CentOS has a xml oval repository. This is the reason of my question:
Actually I have an automatic system to check CVE vulnerabilities report against RedHat OVAL resources, for example: https://www.redhat.com/security/data/oval/com.redhat.rhsa-2011.xml for 2011 CVEs and RHSAs related OVALS
My problem is that while the mechanism works flawlessly regarding Scientific Linux, with CentOS I have false positives reports because the patch level numbers for some rpms is somewhat different from the one written in the official RedHat OVALS.
I make an example to explain myself better:
Consider CVE-2011-0020 which corresponds to RHSA-2011:0180-1 security advisory and it regards a pango vulnerability.
RedHat calls the updated rpm which addresses the vulnerability as pango-1.14.9-8.el5_6.2
CentOS calls it as pango-1.14.9-8.el5.centos.2
so we have:
pango-1.14.9-8.el5_6.2 in the RedHat OVALS while CentOS has pango-1.14.9-8.el5.centos.2 and I think they both addresses the CVE-2011-0020 vulnerability but since the naming is different I have a report that my pango RPM on CentOS is vulnerable, while on SL with same rpm I have no false positives and everything is ok.
So i ask if CentOS has it's own OVAL xml files because I cannot use i na realiable way the RedHat OVALS with CentOS for my porpouses.
thank you very much
Rick
On 4/28/11 4:17 PM, Johnny Hughes wrote:
On 04/28/2011 07:47 AM, Riccardo Veraldi wrote:
Hello, I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6 which addresses CVE-2011-1146 https://www.redhat.com/security/data/cve/CVE-2011-1146.html vulnerability is not yet available while for example it is on Scientific Linux. Is there any particular reason why the above rpm update is still not available on mirrors ?
This was pushed, it just had a .el5 instead of .el5_6 dist tag, so it looks older than the other update. Corrected and repushed.
Thanks, Johnny Hughes
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos