Hello, I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6 which addresses CVE-2011-1146 https://www.redhat.com/security/data/cve/CVE-2011-1146.html vulnerability is not yet available while for example it is on Scientific Linux. Is there any particular reason why the above rpm update is still not available on mirrors ?
thank you
Rick
On 04/28/2011 07:47 AM, Riccardo Veraldi wrote:
Hello, I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6 which addresses CVE-2011-1146 https://www.redhat.com/security/data/cve/CVE-2011-1146.html vulnerability is not yet available while for example it is on Scientific Linux. Is there any particular reason why the above rpm update is still not available on mirrors ?
This was pushed, it just had a .el5 instead of .el5_6 dist tag, so it looks older than the other update. Corrected and repushed.
Thanks, Johnny Hughes
Hello, I ask here if CentOS has a xml oval repository. This is the reason of my question:
Actually I have an automatic system to check CVE vulnerabilities report against RedHat OVAL resources, for example: https://www.redhat.com/security/data/oval/com.redhat.rhsa-2011.xml for 2011 CVEs and RHSAs related OVALS
My problem is that while the mechanism works flawlessly regarding Scientific Linux, with CentOS I have false positives reports because the patch level numbers for some rpms is somewhat different from the one written in the official RedHat OVALS.
I make an example to explain myself better:
Consider CVE-2011-0020 which corresponds to RHSA-2011:0180-1 security advisory and it regards a pango vulnerability.
RedHat calls the updated rpm which addresses the vulnerability as pango-1.14.9-8.el5_6.2
CentOS calls it as pango-1.14.9-8.el5.centos.2
so we have:
pango-1.14.9-8.el5_6.2 in the RedHat OVALS while CentOS has pango-1.14.9-8.el5.centos.2 and I think they both addresses the CVE-2011-0020 vulnerability but since the naming is different I have a report that my pango RPM on CentOS is vulnerable, while on SL with same rpm I have no false positives and everything is ok.
So i ask if CentOS has it's own OVAL xml files because I cannot use i na realiable way the RedHat OVALS with CentOS for my porpouses.
thank you very much
Rick
On 4/28/11 4:17 PM, Johnny Hughes wrote:
On 04/28/2011 07:47 AM, Riccardo Veraldi wrote:
Hello, I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6 which addresses CVE-2011-1146 https://www.redhat.com/security/data/cve/CVE-2011-1146.html vulnerability is not yet available while for example it is on Scientific Linux. Is there any particular reason why the above rpm update is still not available on mirrors ?
This was pushed, it just had a .el5 instead of .el5_6 dist tag, so it looks older than the other update. Corrected and repushed.
Thanks, Johnny Hughes
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 04/29/2011 04:53 AM, Riccardo Veraldi wrote:
Hello, I ask here if CentOS has a xml oval repository. This is the reason of my question:
Actually I have an automatic system to check CVE vulnerabilities report against RedHat OVAL resources, for example: https://www.redhat.com/security/data/oval/com.redhat.rhsa-2011.xml for 2011 CVEs and RHSAs related OVALS
My problem is that while the mechanism works flawlessly regarding Scientific Linux, with CentOS I have false positives reports because the patch level numbers for some rpms is somewhat different from the one written in the official RedHat OVALS.
I make an example to explain myself better:
Consider CVE-2011-0020 which corresponds to RHSA-2011:0180-1 security advisory and it regards a pango vulnerability.
RedHat calls the updated rpm which addresses the vulnerability as pango-1.14.9-8.el5_6.2
CentOS calls it as pango-1.14.9-8.el5.centos.2
so we have:
pango-1.14.9-8.el5_6.2 in the RedHat OVALS while CentOS has pango-1.14.9-8.el5.centos.2 and I think they both addresses the CVE-2011-0020 vulnerability but since the naming is different I have a report that my pango RPM on CentOS is vulnerable, while on SL with same rpm I have no false positives and everything is ok.
So i ask if CentOS has it's own OVAL xml files because I cannot use i na realiable way the RedHat OVALS with CentOS for my porpouses.
No, we don't have that .. and we can't "screen scrape" the Red Hat content and make our own.
While the Red Hat source files are Open Source (Usually GPL, but also other licenses) and we can rebuild their SRPMS ... their "Customer Portals" are NOT open source. In fact, here is the terms for using their "Customer Portals":
http://www.redhat.com/legal/legal_statement.html
"Red Hat either owns the intellectual property rights in the HTML, text, images audio, video, software or other content that is made available on this website, or has obtained the permission of the owner of the intellectual property to make it available on this website. Red Hat strictly prohibits the redistribution or copying of any part of this website or content on this website without written permission from Red Hat. Red Hat authorizes you to display on your computer, download and print pages from this website provided: (a) the copyright notice appears on all such printouts, (b) the information will not be altered, (c) the content is only used for personal, educational and non-commercial use, and (d) you do not redistribute or copy the information to any other media."
Also this one:
https://access.redhat.com/site/help/terms_conditions.html
Use of Content.
Red Hat grants you a personal, non-assignable license to use Red Hat Content for your own internal use while you are a Red Hat Customer (as defined in Section 2 above). Distributing any portion of Red Hat Content to a third party, using any Red Hat Content for the benefit of a third party or using Red Hat Content in connection with software other than Red Hat Software under an active Red Hat subscription are all prohibited. Red Hat authorizes you to display on your computer, download, play and print the Red Hat Content provided: (a) the copyright notice is not removed, (b) Red Hat Content is not be altered, (c) Red Hat Content is used only for your personal, educational and non-commercial use in support of your active valid subscriptions to Red Hat products and services and in accordance with your Customer Agreement, (d) you do not further redistribute or copy Red Hat Content and (e) you comply with any Additional Terms. In the event of a conflict, inconsistency or difference between this Section 6 and the terms of a License or Customer Agreement, the License or Customer Agreement will control (for example, for Red Hat Content licensed under a Creative Commons License, you will have the rights set forth in the applicable Creative Commons License). If you exceed your authorized use of Red Hat Content (for example, if you use Red Hat Content in support of Software for which you do not have an active valid subscription), you may be required under your Customer Agreement to purchase additional subscriptions to Red Hat products. In addition, your right to continue to access Red Hat Content from a Red Hat Portal is subject to your continued compliance with these Terms of Use, your Customer Agreement and the Additional Terms.
=================================================================
What this means is that we can NOT screen scrape, download, or otherwise use content from the Red Hat website as a "Template" to then modify can generate modified copies of that content ... BECAUSE ... content is NOT software and the Red Hat content is NOT open source.
This is also why we do not duplicate the whole content from security advisories. We can point you at it, we can not grab it and modify it and then republish it. The centOS Project takes copyright and intellectual properly rights very seriously.
Thanks, Johnny Hughes
-
Johnny Hughes -
Riccardo Veraldi