Hi,
I have a question about this vulnerability. Could someone please help me which packages i should upgrade in Centos 6 to fix this vulnerability? I don't want to perform upgrade of whole system with "yum upgrade".
-----Original Message----- From: Alexander Danilov Sent: Thursday, May 29, 2014 7:14
Hi,
I have a question about this vulnerability. Could someone please help me
Google can help.
https://www.google.com/search?q=CVE-2014-0196 gives you https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196 And that says https://bugzilla.redhat.com/show_bug.cgi?id=1094232 which says https://rhn.redhat.com/errata/RHSA-2014-0512.html
Or I like to search this way:
https://www.google.com/search?q=CVE-2014-0196+%2Bsite%3Aredhat.com
which packages i should upgrade in Centos 6 to fix this vulnerability? I don't want to perform upgrade of whole system with "yum upgrade".
Kernel, if applicable. You did not give enough information to determine an answer.
-Jason
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
On 05/29/2014 07:04 AM, Jason Pyeron wrote:
-----Original Message----- From: Alexander Danilov Sent: Thursday, May 29, 2014 7:14
Hi,
I have a question about this vulnerability. Could someone please help me
Google can help.
https://www.google.com/search?q=CVE-2014-0196 gives you https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196 And that says https://bugzilla.redhat.com/show_bug.cgi?id=1094232 which says https://rhn.redhat.com/errata/RHSA-2014-0512.html
Or I like to search this way:
https://www.google.com/search?q=CVE-2014-0196+%2Bsite%3Aredhat.com
which packages i should upgrade in Centos 6 to fix this vulnerability? I don't want to perform upgrade of whole system with "yum upgrade".
Kernel, if applicable. You did not give enough information to determine an answer.
-Jason
I want to be very clear on CVE's and the way they are tested at CentOS.
First, I want to ensure everyone knows that CentOS does NOT usually do any verification with respect to CVE issues. We build what Red Hat releases when they release it. Their security and engineering teams are the ones that research the problem, develop a plan, write code, build the new packages and test to verify that:
1) There was a problem that needs fixing. 2) The fix proposed actually fixes the vulnerability (in RHEL).
We then grab the released code after Red Hat publicly releases it and build it for CentOS.
What does this mean for CentOS users ... it means that YOU are responsible to test the there is no longer an issue in YOUR environment after you do the install. If you want a CERTIFIED fix that has been tested, that is what Red Hat provides in RHEL. The reason they charge a subscription price is because the do all this testing and they provide assurance that the issues are known, fixed, tested, and certified as mitigated.
All of that being said, If you are concerned with the Security aspects of an update, you have to have ALL updates before that one also installed. If you have an older glibc then why would you think that something that calls that library would necessarily be secure by adding an update to the Kernel. All libraries (so ALL PREVIOUS PACKAGES), INCLUDING the package in question that fixes the CVE, need to be installed to be confident that you have mitigated a problem. This is CLEARLY stated on every Red Hat security page ... here is a quote from the CVE you asked about:
"Before applying this update, make sure all previously released errata relevant to your system have been applied."
You can't JUST install the package that has the CVE fix and leave everything else at an older level. Certainly if you do, you must validate that in THAT scenario (old packageZ, older packageY, new packageX). Even in RHEL, if you only install one Security update and none of the preceding updates, you would need to test that the issue was mitigated in that scenario as that would NOT have been tested or certified by any team.
=========
Complicating this specific issue ... you asked about "CVE-2014-0196" ... that is NOT an issue that impacts CentOS-6.5 ... it is an issue that is released for "Red Hat Enterprise Linux Server EUS (v. 6.3.z)".
See this link: https://rhn.redhat.com/errata/RHSA-2014-0512.html
CentOS does not and has never done the EUS builds ... as Red Hat does not and has never released the sources for the Extended Update Service streams.
If you want EUS capability (and it is certainly a good thing to have), then you need a RHEL subscription.
=========
To be clear, installing only Security Updates and not also all updates preceding that Security Update is not (nor has it ever been) recommended ... if you do it, you are not using a tested configuration. This is true of ANY operating system, not just CentOS.
Thanks, Johnny Hughes
-----Original Message----- From: Johnny Hughes Sent: Thursday, May 29, 2014 8:46
I want to be very clear on CVE's and the way they are tested at CentOS.
First, I want to ensure everyone knows that CentOS does NOT usually do any verification with respect to CVE issues. We build what Red Hat releases when they release it. Their security and engineering teams are the ones that research the problem, develop a plan, write code, build the new packages and test to verify that:
- There was a problem that needs fixing.
- The fix proposed actually fixes the vulnerability (in RHEL).
We then grab the released code after Red Hat publicly releases it and build it for CentOS.
What does this mean for CentOS users ... it means that YOU are responsible to test the there is no longer an issue in YOUR environment after you do the install. If you want a CERTIFIED fix that has been tested, that is what Red Hat provides in RHEL. The reason they charge a subscription price is because the do all this testing and they provide assurance that the issues are known, fixed, tested, and certified as mitigated.
All of that being said, If you are concerned with the Security aspects of an update, you have to have ALL updates before that one also installed.
E.g.
If you have an older glibc then why would you think that something that calls that library would necessarily be secure by adding an update to the Kernel.
All libraries (so ALL PREVIOUS PACKAGES), INCLUDING the package in question that fixes the CVE, need to be installed to be confident that you have mitigated a problem. This is CLEARLY stated on every Red Hat security page ... here is a quote from
an exemplar CVE from the upstream provider:
"Before applying this update, make sure all previously released errata relevant to your system have been applied."
You can't JUST install the package that has the CVE fix and leave everything else at an older level. Certainly if you do, you must validate that in THAT scenario (old packageZ, older packageY, new packageX). Even in RHEL, if you only install one Security update and none of the preceding updates, you would need to test that the issue was mitigated in that scenario as that would NOT have been tested or certified by any team.
<snip/>
To be clear, installing only Security Updates and not also all updates preceding that Security Update is not (nor has it ever been) recommended ... if you do it, you are not using a tested configuration. This is true of ANY operating system, not just CentOS.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
<snip>
Just in case my previous mail was not clear enough on this:
"Before applying this update, make sure all previously released errata relevant to your system have been applied."
That is what every single Red Hat Security Update says ... and so then the question is, what is "errata".
Errata is ALL UPDATES ... there are Security ERRATA, Bugfix ERRATA, and Enhancement ERRATA.
What this means is ... you SHOULD install all updates, not just Security Updates.
29.05.2014 16:59, Johnny Hughes ?????:
<snip>
Just in case my previous mail was not clear enough on this:
"Before applying this update, make sure all previously released errata relevant to your system have been applied."
That is what every single Red Hat Security Update says ... and so then the question is, what is "errata".
Errata is ALL UPDATES ... there are Security ERRATA, Bugfix ERRATA, and Enhancement ERRATA.
What this means is ... you SHOULD install all updates, not just Security Updates.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you very much for this clarification and detailed explanation. I appreciate your help.
-
Alexander Danilov -
Jason Pyeron -
Johnny Hughes