Hi,
I'm currently at CentOS 5.8. After some penetration testing, found some high severity OpenSSH issues which would require its upgrade. But till CentOS 5.9 the latest rpm available is openssh-4.3p2-82.el5 (which I'm currently using).
Is it fine to upgrade to CentOS 6 rpms while I'm on CentOS 5?
Thanks, Anumeha
Without going to 5.9 you will have unpatched vulnerabilities. With all the applicable patches for EL5 you should not have any vulnerabilities due to in-channel software from CentOS. That does not mean the vulnerability scanner won't find false positives, the key is to get the CVE number of the vulnerability and searching for how Red Hat responded to the vulnerability and whether you have the CentOS equivalent of that patch.
Mobile
On Mar 21, 2013, at 7:53 AM, Anumeha Prasad anumeha.prasad@gmail.com wrote:
Hi,
I'm currently at CentOS 5.8. After some penetration testing, found some high severity OpenSSH issues which would require its upgrade. But till CentOS 5.9 the latest rpm available is openssh-4.3p2-82.el5 (which I'm currently using).
Is it fine to upgrade to CentOS 6 rpms while I'm on CentOS 5?
Thanks, Anumeha _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
2013/3/21 Ron Colvin ron@colvin-deweese.com:
Without going to 5.9 you will have unpatched vulnerabilities. With all the applicable patches for EL5 you should not have any vulnerabilities due to in-channel software from CentOS. That does not mean the vulnerability scanner won't find false positives, the key is to get the CVE number of the vulnerability and searching for how Red Hat responded to the vulnerability and whether you have the CentOS equivalent of that patch.
Mobile
On Mar 21, 2013, at 7:53 AM, Anumeha Prasad anumeha.prasad@gmail.com wrote:
Hi,
I'm currently at CentOS 5.8. After some penetration testing, found some high severity OpenSSH issues which would require its upgrade. But till CentOS 5.9 the latest rpm available is openssh-4.3p2-82.el5 (which I'm currently using).
Is it fine to upgrade to CentOS 6 rpms while I'm on CentOS 5?
also rpm -q --changelog openssh-server might help for looking backported fixes.
-- Eero
On Thu, Mar 21, 2013 at 05:23:50PM +0530, Anumeha Prasad wrote:
I'm currently at CentOS 5.8. After some penetration testing, found some high severity OpenSSH issues which would require its upgrade. But till CentOS 5.9 the latest rpm available is openssh-4.3p2-82.el5 (which I'm currently using).
Most "penetration testing" is done via lackadaisical auditors using automated tools that are pretty much completely worthless in the real world using Enterprise Linux as said tools are unaware of backporting policies. What "issues" were you informed of? They did provide you with CVE references?
Is it fine to upgrade to CentOS 6 rpms while I'm on CentOS 5?
No, it is not possible to use C6 binary rpms on a C5 system.
John
Am 21.03.2013 um 13:12 schrieb John R. Dennison jrd@gerdesas.com:
On Thu, Mar 21, 2013 at 05:23:50PM +0530, Anumeha Prasad wrote:
I'm currently at CentOS 5.8. After some penetration testing, found some high severity OpenSSH issues which would require its upgrade. But till CentOS 5.9 the latest rpm available is openssh-4.3p2-82.el5 (which I'm currently using).
Most "penetration testing" is done via lackadaisical auditors using automated tools that are pretty much completely worthless in the real world using Enterprise Linux as said tools are unaware of backporting policies. What "issues" were you informed of? They did provide you with CVE references?
for more info check the openssh package deeper:
rpm -q --changelog openssh
or
rpm -q --changelog openssh |grep -i cve
-- LF
On 3/21/2013 5:12 AM, John R. Dennison wrote:
Most "penetration testing" is done via lackadaisical auditors using automated tools that are pretty much completely worthless in the real world using Enterprise Linux as said tools are unaware of backporting policies.
indeed, they are automated checklist checkers.
On Thu, Mar 21, 2013 at 7:53 AM, Anumeha Prasad anumeha.prasad@gmail.comwrote:
Hi,
I'm currently at CentOS 5.8. After some penetration testing, found some high severity OpenSSH issues which would require its upgrade. But till CentOS 5.9 the latest rpm available is openssh-4.3p2-82.el5 (which I'm currently using).
Why haven't you updated your entire set of packages to 5.9? Red Hat will (or maybe already has) release patched packages -- often times the patches are backported for the software versions RH supports. Meaning that just going by the version number of openssh may mislead you. When in doubt check the RH Bugzilla and CVE reports.
You could rebuild openssh from source, but moving to CentOS 6 is a better game plan.
Is it fine to upgrade to CentOS 6 rpms while I'm on CentOS 5?
See the information on the CentOS wiki (link below). http://wiki.centos.org/HowTos/MigrationGuide
I cannot speak for how well these migration steps work as I opt to do a fresh install and rsync the important data to the new install.
Thanks, Anumeha _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
2013/3/21 Anumeha Prasad anumeha.prasad@gmail.com:
Hi,
I'm currently at CentOS 5.8. After some penetration testing, found some high severity OpenSSH issues which would require its upgrade. But till CentOS 5.9 the latest rpm available is openssh-4.3p2-82.el5 (which I'm currently using).
Result of Nessus/Openvas scan? redhat backports security fixes, so just update to 5.9.
-- Eero
On 03/21/2013 06:53 AM, Anumeha Prasad wrote:
Hi,
I'm currently at CentOS 5.8. After some penetration testing, found some high severity OpenSSH issues which would require its upgrade. But till CentOS 5.9 the latest rpm available is openssh-4.3p2-82.el5 (which I'm currently using).
Is it fine to upgrade to CentOS 6 rpms while I'm on CentOS 5?
Others have already discussed backporting. Your scanner needs to understand RHEL backporting to give you correct results. See this link for an explanation of backporting:
https://access.redhat.com/security/updates/backporting/
And this one for a CVE database where you can verify false positives are actually fixed:
https://access.redhat.com/security/cve/
The answer to your other question is: No ...
Upgrading within a branch is simple, by design. CentOS-5 will get security updates until its EOL in 2017. You can upgrade any CentOS-5 machine to the latest updates with a simple "yum upgrade" command. Any security or other issues you think you have can be verified fixed from the cve database link above.
But moving to CentOS-6 from CentOS-5 is not easy. The versions of many things are much higher in CentOS-6. You therefore need to save off your data, do a new install of centos-6, move your date back on and upgrade it to the newer software. Some things will upgrade easily (most httpd, ssh, etc.) ... some things will not convert easily (samba, ldap, php to name a few). Enterprise Linux upgrades between major versions (CentOS-5.x to CentOS-6.x) are complicated and need to be planned and tested very well, they can not be done by just a simple command.
Thanks, Johnny Hughes
-
Anumeha Prasad -
Eero Volotinen -
John R Pierce -
John R. Dennison -
Johnny Hughes -
Leon Fauster -
Ron Colvin -
SilverTip257