Hello,
We are running CentOS 5.5 on a server that is not reporting any security updates: [root@server01 ~]# yum -y --security check-update Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: bay.uchicago.edu * extras: bay.uchicago.edu * updates: mirror.nyi.net Limiting package lists to security relevant ones No packages needed, for security, 261 available
However, Nexpose, our vulnerability scanner detected otherwise. Upon digging deeper, I noticed that we are on a kernel version that has a known issue fixed in a later version:
[root@server01 ~]# rpm -q kernel kernel-2.6.18-194.el5 kernel-2.6.18-194.8.1.el5
http://rhn.redhat.com/errata/RHSA-2010-0610.html http://lists.centos.org/pipermail/centos-announce/2010-August/016890.html
I appreciate anyone's insight in helping me understand this a bit better.
Thanks!
On Tue, 18 Dec 2012 10:38:22 -0600 Terry wrote:
Limiting package lists to security relevant ones
What does it tell you if you don't limit the package lists to security relevant ones?
The current version of Centos 5 is 5.8 and the kernel is 2.6.18-308.24.1.el5, so you're rather behind the times.
On Tue, Dec 18, 2012 at 10:42 AM, Frank Cox theatre@melvilletheatre.com wrote:
On Tue, 18 Dec 2012 10:38:22 -0600 Terry wrote:
Limiting package lists to security relevant ones
What does it tell you if you don't limit the package lists to security relevant ones?
The current version of Centos 5 is 5.8 and the kernel is 2.6.18-308.24.1.el5, so you're rather behind the times.
Completely agree on behind the times. It says we have 261 available. But wouldn't the security update procedure I put below still grab security updates? I may update our procedures to do full updates rather than just security but it's not working as expected so crossing that off first.
Thanks!
On Tue, Dec 18, 2012 at 8:38 AM, Terry td3201@gmail.com wrote:
Hello,
We are running CentOS 5.5 on a server that is not reporting any security updates: [root@server01 ~]# yum -y --security check-update
This feature (yum --security) has not been implemented and CentOS developers are working on it. See the thread on the mailing list:
http://lists.centos.org/pipermail/centos-devel/2012-August/008675.html
the last post from Karanbir Singh was on Oct 3. Here is a partial quote:
I've been testing the yum-security stuff at this end and still have a few issues to work out ( mostly involves reading AUP's and T&C's from various places to make sure the metadata being consumed does not violate anything )
Hope this helps,
Akemi
Terry wrote:
Hello,
We are running CentOS 5.5 on a server that is not reporting any security updates:
<snip>
However, Nexpose, our vulnerability scanner detected otherwise. Upon digging deeper, I noticed that we are on a kernel version that has a known issue fixed in a later version:
[root@server01 ~]# rpm -q kernel kernel-2.6.18-194.el5 kernel-2.6.18-194.8.1.el5
<snip> As someone else just pointed out, current release is 5.8. For that matter, and I'm just pulling this vaguely out of my memory, .el5 with no sub-numbers suggests to me that this has *never* been updated since the install/update to the initial 5.5. This is *NOT* a good idea. There have been many security fixes since then.
mark
On 12/18/2012 10:38 AM, Terry wrote:
Hello,
We are running CentOS 5.5 on a server that is not reporting any security updates: [root@server01 ~]# yum -y --security check-update Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile
- base: bay.uchicago.edu
- extras: bay.uchicago.edu
- updates: mirror.nyi.net
Limiting package lists to security relevant ones No packages needed, for security, 261 available
However, Nexpose, our vulnerability scanner detected otherwise. Upon digging deeper, I noticed that we are on a kernel version that has a known issue fixed in a later version:
[root@server01 ~]# rpm -q kernel kernel-2.6.18-194.el5 kernel-2.6.18-194.8.1.el5
http://rhn.redhat.com/errata/RHSA-2010-0610.html http://lists.centos.org/pipermail/centos-announce/2010-August/016890.html
I appreciate anyone's insight in helping me understand this a bit better.
The yum security plugin does not currently, nor has it ever, worked on CentOS.
It is designed to work with RHN and RHEL and we have not been able to make it work on CentOS.
A long long time ago, in a previous vocation, I had all my CentOS boxes talking to a Spacewalk server. I had a script (which may or may not still work) that would take CentOS-Annouce digest and create Errata out of them. I could then use that in my server groups as a "Security Patches Only" sort of deployment.
On Dec 18, 2012, at 9:44 AM, Johnny Hughes wrote:
On 12/18/2012 10:38 AM, Terry wrote:
Hello,
We are running CentOS 5.5 on a server that is not reporting any security updates: [root@server01 ~]# yum -y --security check-update Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile
- base: bay.uchicago.edu
- extras: bay.uchicago.edu
- updates: mirror.nyi.net
Limiting package lists to security relevant ones No packages needed, for security, 261 available
However, Nexpose, our vulnerability scanner detected otherwise. Upon digging deeper, I noticed that we are on a kernel version that has a known issue fixed in a later version:
[root@server01 ~]# rpm -q kernel kernel-2.6.18-194.el5 kernel-2.6.18-194.8.1.el5
http://rhn.redhat.com/errata/RHSA-2010-0610.html http://lists.centos.org/pipermail/centos-announce/2010-August/016890.html
I appreciate anyone's insight in helping me understand this a bit better.
The yum security plugin does not currently, nor has it ever, worked on CentOS.
It is designed to work with RHN and RHEL and we have not been able to make it work on CentOS.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Abel Lopez -
Akemi Yagi -
Frank Cox -
Johnny Hughes -
m.roth@5-cent.us -
Terry