Does anyone know the time-frame when security updates might be published for these applications in CentOS 5?
wireshark postgresql krb5 java-1.6.0-openjdk java-1.6.0-sun
The following security updates have been published upstream (after release of RHEL 5.6) to remedy the vulnerabilities described in their associated CVE reports.
Remotely Exploitable: (R)
RHSA-2011:0013: Moderate: wireshark security update 1/10/11 [CVE-2010-4538] (R)
RHSA-2011:0197: Moderate: postgresql security update 2/3/11 [CVE-2010-4015] (R)
RHSA-2011:0199: Important: krb5 security update 2/8/11 [CVE-2011-0281] (R) [CVE-2011-0282] (R)
RHSA-2011:0281: Important: java-1.6.0-openjdk security update 2/17/11 CVE-2010-4448 (R) CVE-2010-4450 CVE-2010-4465 (R) CVE-2010-4469 (R) CVE-2010-4470 (R) CVE-2010-4472 (R)
RHSA-2011:0282: Critical: java-1.6.0-sun security update 2/17/11 CVE-2010-4422 (R) CVE-2010-4447 (R) CVE-2010-4448 (R) CVE-2010-4450 CVE-2010-4451 (R) CVE-2010-4452 (R) CVE-2010-4454 (R) CVE-2010-4462 (R) CVE-2010-4463 (R) CVE-2010-4465 (R) CVE-2010-4466 (R) CVE-2010-4467 (R) CVE-2010-4468 (R) CVE-2010-4469 (R) CVE-2010-4470 (R) CVE-2010-4471 (R) CVE-2010-4472 (R) CVE-2010-4473 (R) CVE-2010-4475 (R) CVE-2010-4476 (R)
I know the development team is furiously working to get 5.6 out the door so I understand that there will be delays. However, it was my understanding that "Critical" security updates and those that are "remotely exploitable" would be pushed out ahead of 5.6.
If 5.6 is not forthcoming I think many of us would like to see at least the security updates to cover potential vulnerabilities.
Many thanks to the development team for all their hard work! :-)
Respectfully,
Cal Webster
On Thu, 2011-02-24 at 14:02 -0500, Cal Webster wrote:
Does anyone know the time-frame when security updates might be published for these applications in CentOS 5?
wireshark postgresql krb5 java-1.6.0-openjdk java-1.6.0-sun
Don't use anyone of these privately (on desktop, laptop etc.) or publicly on any of the servers.
Always Learning wrote:
On Thu, 2011-02-24 at 14:02 -0500, Cal Webster wrote:
Does anyone know the time-frame when security updates might be published for these applications in CentOS 5?
wireshark postgresql krb5 java-1.6.0-openjdk java-1.6.0-sun
Don't use anyone of these privately (on desktop, laptop etc.) or publicly on any of the servers.
Um, don't use kerberos? Or postgresql? Or Sun's, er, Oracle's java? I can't see that going over well.
mark
On Thu, 2011-02-24 at 14:10 -0500, m.roth@5-cent.us wrote:
Um, don't use kerberos? Or postgresql? Or Sun's, er, Oracle's java? I can't see that going over well.
Sorry to let everyone down. I can't get too excited about these outstanding security patches. After 5 hours of trying, I can still can't panic, moan or even begin to criticise anyone about anything. Guess I am no good as a Centos critic. I'm just t-o-o biased towards good 'old Centos.
All my Centos stuff is boring: web with Apache, MySQL, PHP, CSS, HTML and the inevitable PHPmyAdmin, plus mail with Exim. Rsync, SSH, Vbox and other 'boring' bits too.
Would like to add Asterisk but lack the time at present because of experimenting with something called Arduino, too small to run Centos but able to control CCTV and send data over the wider Ethernet. A lot more development work is needed.
Never liked running Java and don't. Occasionally run OO's text processing. Still run the 1993 version of Ami Pro 3.1 but that hasn't had a security patch ever!
In article 6182d300241c67c712c405d004e0b5ab.squirrel@host290.hostmonster.com, m.roth@5-cent.us wrote:
Always Learning wrote:
On Thu, 2011-02-24 at 14:02 -0500, Cal Webster wrote:
Does anyone know the time-frame when security updates might be published for these applications in CentOS 5?
wireshark postgresql krb5 java-1.6.0-openjdk java-1.6.0-sun
Don't use anyone of these privately (on desktop, laptop etc.) or publicly on any of the servers.
Um, don't use kerberos? Or postgresql? Or Sun's, er, Oracle's java? I can't see that going over well.
I think he meant "*I* don't use any of these ...", not the imperative.
Tony
On Thu, 24 Feb 2011, Cal Webster wrote:
java-1.6.0-sun
non FOSS, non-source provided, no? This is in an addon channel in RHEL, and so far as I know we have never shipped such
Of the others the wireshark update is a periodic update of some edge case dissectors [these developers are quite good about releasing time based 'fixes' for their tool -- a different model than upstream, but perfectly valid], and if nominally remotely exploitable, as a practical matter, not a material threat
The kerberos update crossed vendor-sec, but seems again to be an edge case hole
The pgsql update is nominally exploitable, but any sensible environment uses iptables and network segment isolation rather than adding a world listening daemon
I have commented earlier on my distress at the openjdk update NOT crossing vendor-sec. This said, again, who in their right mind exposes an unprotected Java listener application to the wild?
I saw that another in the project mentioned 'bypassing' the 5.6 respin and testing delays for truly exploitable matter. The potential 'bind' updates dos attack vector turned out not to affect anything CentOS has shipped in base and updates, and so was a 'false positive' as prior discusseio here has noted
If one wants SLA and deterministic intervals between announcement and release, it is just not that hard to set up one off building and updates from released sources upstream, and so one can have it at the price of a little learning and experimentation.
Alternatively, CentOS releases promptly on the usual norm, and during 'point' update times, falls back to trying to avoid 'dependency skew' problems by considering the potential disruption for millions of machines each needing manual depsolving intervention, vs. getting the nest update build and QA's and out the door in a durable fashion.
If that is not 'quick enough', see the prior paragraph about self-building; or seek a vendor who will sell you the SLA you deem you require. This is a simple 'build vs buy' decision
[I might note that I have seen NO filed bug in the CentOS tracker asserting a need for any of the listed updates on an expedited basis]
-- Russ herrold
On Thu, 2011-02-24 at 14:28 -0500, R P Herrold wrote:
On Thu, 24 Feb 2011, Cal Webster wrote:
java-1.6.0-sun
non FOSS, non-source provided, no? This is in an addon channel in RHEL, and so far as I know we have never shipped such
You're right - shouldn't have listed that one. I manage both RHEL and CentOS machines so this came up on the radar.
Of the others the wireshark update is a periodic update of some edge case dissectors [these developers are quite good about releasing time based 'fixes' for their tool -- a different model than upstream, but perfectly valid], and if nominally remotely exploitable, as a practical matter, not a material threat
Agreed. We don't use most of the dissectors that get called out either and it's easy to disable them. However, our organizational directives require full IA compliance so I have to show due diligence in resolving every vulnerability. For those that cannot be resolved I must supply work-arounds to mitigate them and a plan of action to resolve it in the end.
The kerberos update crossed vendor-sec, but seems again to be an edge case hole
Not critical for us since none of our engineering networks touch the Internet. If I had a public facing server, though, I'd hate to have to wonder if I might be one of those "edge cases".
The pgsql update is nominally exploitable, but any sensible environment uses iptables and network segment isolation rather than adding a world listening daemon
True. Any enterprise operation that doesn't take such basic security precautions is asking for trouble. Still, the IA Gestapo doesn't make such distinctions.
I have commented earlier on my distress at the openjdk update NOT crossing vendor-sec. This said, again, who in their right mind exposes an unprotected Java listener application to the wild?
I don't disagree with you. Those who evaluate CVE's for applicability to an enterprise don't often have the technical background to distinguish between a practical and theoretical threat. For them, and because of the way $#!+ rolls downhill, myself the vulnerability "must be addressed."
I saw that another in the project mentioned 'bypassing' the 5.6 respin and testing delays for truly exploitable matter. The potential 'bind' updates dos attack vector turned out not to affect anything CentOS has shipped in base and updates, and so was a 'false positive' as prior discusseio here has noted
If one wants SLA and deterministic intervals between announcement and release, it is just not that hard to set up one off building and updates from released sources upstream, and so one can have it at the price of a little learning and experimentation.
When things settle a bit in my org and CentOS I'd like to do just that, if for nothing else than the instructional value.
Alternatively, CentOS releases promptly on the usual norm, and during 'point' update times, falls back to trying to avoid 'dependency skew' problems by considering the potential disruption for millions of machines each needing manual depsolving intervention, vs. getting the nest update build and QA's and out the door in a durable fashion.
Until this 3-way, back-to-back release (4.9, 5.6, 6.0) updates were plenty prompt for me. I totally understand the issues behind the delays.
If that is not 'quick enough', see the prior paragraph about self-building; or seek a vendor who will sell you the SLA you deem you require. This is a simple 'build vs buy' decision
Thank you for your cordial, detailed reply. We do have a standby OSS support contract based on hourly rate but only intend to use it for true emergencies.
[I might note that I have seen NO filed bug in the CentOS tracker asserting a need for any of the listed updates on an expedited basis]
Is that how it's done? Until now I haven't paid much attention to the process. No need since updates were fairly swift after upstream release. I report bugs directly upstream via our RH Support entitlement. I'm not sure any such assertions from me would carry much weight anyway. Even if they did I'd imagine there wouldn't be much spare manpower to act on it at this point.
-- Russ herrold _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Feb 24, 2011 at 11:02 AM, Cal Webster cwebster@ec.rr.com wrote:
I know the development team is furiously working to get 5.6 out the door so I understand that there will be delays. However, it was my understanding that "Critical" security updates and those that are "remotely exploitable" would be pushed out ahead of 5.6.
That is my understanding, too. However, I see that the only "Critical" one on your list is java-1.6.0-sun. This is not included in CentOS...
Akemi
I know the development team is furiously working to get 5.6 out the door so I understand that there will be delays. However, it was my understanding that "Critical" security updates and those that are "remotely exploitable" would be pushed out ahead of 5.6.
That is my understanding, too. However, I see that the only "Critical" one on your list is java-1.6.0-sun. This is not included in CentOS...
As far as I understand this is a highly untrivial task and breaks the "binary compatible" rule. Nevertheless, this was attempted one or two dot releases ago, I think as an experiment as much as anything.
I am not sure how the CentOS team thought of that exercise, in hindsight. I would be interested in knowing. From the explanation that Russ gave, it was a mighty effort, as far as I remember.
On Thu, Feb 24, 2011 at 12:05 PM, Ian Murray murrayie@yahoo.co.uk wrote:
However, it was my understanding that "Critical" security updates and those that are "remotely exploitable" would be pushed out ahead of 5.6.
That is my understanding, too. However, I see that the only "Critical" one on your list is java-1.6.0-sun. This is not included in CentOS...
As far as I understand this is a highly untrivial task and breaks the "binary compatible" rule. Nevertheless, this was attempted one or two dot releases ago, I think as an experiment as much as anything.
I am not sure how the CentOS team thought of that exercise, in hindsight. I would be interested in knowing. From the explanation that Russ gave, it was a mighty effort, as far as I remember.
Right, it is not an easy task as we see from the past experience. I think Karanbir is trying to come up with the way CentOS can provide critical security updates ahead of the pending major release as we can see in his post [1] to the -devel mailing list:
"all updates to the /5/ tree are monitored and anything which has a remote or local exploit will get pushed into the /5/ tree; things in 5.6 and against 5.6 that dont meet that criteria wait for 5.6 release. build order, linking, inheriting upstream testing etc etc to blame."
[1] http://lists.centos.org/pipermail/centos-devel/2011-February/006916.html
Akemi
On 02/24/2011 02:05 PM, Ian Murray wrote:
I know the development team is furiously working to get 5.6 out the door so I understand that there will be delays. However, it was my understanding that "Critical" security updates and those that are "remotely exploitable" would be pushed out ahead of 5.6.
That is my understanding, too. However, I see that the only "Critical" one on your list is java-1.6.0-sun. This is not included in CentOS...
As far as I understand this is a highly untrivial task and breaks the "binary compatible" rule. Nevertheless, this was attempted one or two dot releases ago, I think as an experiment as much as anything.
I am not sure how the CentOS team thought of that exercise, in hindsight. I would be interested in knowing. From the explanation that Russ gave, it was a mighty effort, as far as I remember.
The issue is that these are BUILT on top of 5.6 by upstream ... so they have to be built on 5.6 from us too.
That is just how is just how it is ...
What we have done in the past, if a fix will run OK on 5.5 and 5.6, is release the fix early. But that caused issues and bugs the last time we did it on some installs.
Regardless, I don't think 5.6 will be much longer.
On Thu, 2011-02-24 at 11:30 -0800, Akemi Yagi wrote:
On Thu, Feb 24, 2011 at 11:02 AM, Cal Webster cwebster@ec.rr.com wrote:
I know the development team is furiously working to get 5.6 out the door so I understand that there will be delays. However, it was my understanding that "Critical" security updates and those that are "remotely exploitable" would be pushed out ahead of 5.6.
That is my understanding, too. However, I see that the only "Critical" one on your list is java-1.6.0-sun. This is not included in CentOS...
Thank you for your input Akemi. As I said in my response to Russ, that one should not have been on my list. All, however, do have remote exploits. These I also discussed with Russ.
Regards,
Cal
I wish people would read the list archives instead of posting the same kind of questione time and again.
Kai
On Thu, 2011-02-24 at 22:00 +0100, Kai Schaetzl wrote:
I wish people would read the list archives instead of posting the same kind of questione time and again.
Kai
Thank you for your thoughts Kai.
I have invested quite a bit of time reading the CentOS and CentOS-Devel archives, including this one from KB:
http://lists.centos.org/pipermail/centos/2011-February/105486.html
Seems to me that my post was both relevant and appropriate. All the vulnerabilities I cited were either "Critical" or "remotely exploitable". If my specific query was answered elsewhere, off topic, or out of line I apologize. See my earlier response to Russ's kind, detailed reply for more.
I've also read the "FAQ":
http://wiki.centos.org/FAQ/General
...as well as Eric and Rick's "Smart Questions" FAQ (all common sense):
http://www.catb.org/~esr/faqs/smart-questions.html
This is not my first time around the block Kai. As much as I hate wasting my own time, I will go out of my way to avoid wasting that of others... especially those who are working hard on their own time on my behalf. I only ask questions when I can't find answers using local or on-line resources. I always try to make my questions concise but with sufficient detail for others to answer, selecting the appropriate forum based upon community guidelines.
I'm not easily offended so I welcome constructive criticism, even harsh critique. You'll find me to be considerate, respectful, and generous because I try to treat others the same way I expect to be treated.
Please don't be offended if I do not respond to additional replies. I see no benefit to the list or myself in extended arguments.
Cal
You don't seem to understand. ;-) I don't take your reply as an offense and I don't mean mine as an offense, but: If you did your research then you knew what answer you would get. And you indeed got that answer. And you were not the only one who asked that and who got that same answer. The specific package you ask about is irrelevant. The question comes up every so often and every so often they get the same answer. So, why do people think they have to ask the same stuff yet again? In case you (or any lurking soul) still don't know the answer: it is "it comes when it comes".
Good night, Kai
-
Akemi Yagi -
Always Learning -
Cal Webster -
Ian Murray -
Johnny Hughes -
Kai Schaetzl -
m.roth@5-cent.us -
R P Herrold -
tony@mountifield.org