A potentially newbie question about vulnerability patching speed in CentOS 7.x's yum repository
I've been dubbing with management of security vulnerabilities and their fixes for a while, recently I discovered there may be a delay in the process of software updates made available on CentOS yum repository.
take CVE-2017-5335 for example: In redhat official notice board :https://access.redhat.com/security/cve/cve-2017-5335 we can see there is a link point to advisory for RHEL 7: https://access.redhat.com/errata/RHSA-2017:2292 . from there we can see that the fix happens at gnutls 3.3.26. But when trying to update with yum update from a CentOS 7.3 x64 machine. there is no 3.3.26 available. Only available rpm for CentOS 7.3.1611 for x86_64 is gnutls-3.3.24. This result can be verified using rpm finder: https://www.rpmfind.net/linux/rpm2html/search.php?query=gnutls
Same problem happens to other software packages such as: glibc tcpdump libnl mariadb ... (and many others)
Why is that? and are those software packages not going to get fixed?
- p.s. please excuse me for any formating issues. :)
Jeff
On 30/08/17 11:09, 知乎申诉处理 wrote:
I've been dubbing with management of security vulnerabilities and their fixes for a while, recently I discovered there may be a delay in the process of software updates made available on CentOS yum repository.
take CVE-2017-5335 for example: In redhat official notice board :https://access.redhat.com/security/cve/cve-2017-5335 we can see there is a link point to advisory for RHEL 7: https://access.redhat.com/errata/RHSA-2017:2292 . from there we can see that the fix happens at gnutls 3.3.26. But when trying to update with yum update from a CentOS 7.3 x64 machine. there is no 3.3.26 available. Only available rpm for CentOS 7.3.1611 for x86_64 is gnutls-3.3.24. This result can be verified using rpm finder: https://www.rpmfind.net/linux/rpm2html/search.php?query=gnutls
Same problem happens to other software packages such as: glibc tcpdump libnl mariadb ... (and many others)
Why is that? and are those software packages not going to get fixed?
- p.s. please excuse me for any formating issues. :)
Jeff
You're searching for packages that are already built but in an "interim" repository : RHEL 7.4 was released but CentOS 7.4.1708 isn't yet available, while packages are built (almost all of them)
See https://seven.centos.org/2017/08/cr-repository-for-centos-linux-7-1708-relea... and you'll have all the packages you're looking for
Same problem happens to other software packages such as: glibc tcpdump libnl mariadb ... (and many others)
Why is that? and are those software packages not going to get fixed?
There have been various threads concerning this in the past month. You can find them in the archives - a couple I found by a quick scan:
https://lists.centos.org/pipermail/centos/2017-August/165910.html
https://lists.centos.org/pipermail/centos/2017-August/165867.html
Basically the updates build against 7.4 and that was only released to the CR repository a week ago. See
https://lists.centos.org/pipermail/centos/2017-August/165930.html
and
https://seven.centos.org/2017/08/cr-repository-for-centos-linux-7-1708-relea...
It will all make it into the main repositories in due course.
Remember that CentOS is a community distro and as such resources are limited so things don't happen immediately. If the timing of the release of updates is critical to you, then your best bet is to pay for a RHEL subscription.
P.
-
Fabian Arrotin -
Pete Biggs -
知乎申诉处理