Hi,
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
Can you help me on how to get security upgrades on top of my existing CentOS?
# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core)
Thanks for the help.
2015-04-24 12:21 GMT+03:00 Venkateswara Rao Dokku dvrao.584@gmail.com:
Hi,
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
Can you help me on how to get security upgrades on top of my existing CentOS?
# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core)
Thanks for the help.
... and most of them are misconfiguration(s) of your os and some possibly false positives.
use yum to apply latest security patches and then fix misconfiguration of os services and reboot machine & rescan
-- Eero
On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
Hi,
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
Can you help me on how to get security upgrades on top of my existing CentOS?
The short answer: 'yum update'
The long answer: nearly all commercial scanners test via version number, not actual vulnerabilities. You can take the list of 'vulnerable' packages and the related CVEs and 'rpm -q <package> --changelog | grep -i cve' to see that it's been addressed.
Alternatively, upstream maintains a cve database at https://access.redhat.com/security/cve/ where you can search the CVE and match related (or newer) versions.
I have a very long profanity-laden rant about commercial scanning software and practices that I'll spare folks from. TL;DR it's all terrible, and the vendors have little to no incentive for fixing it.
Note: we (CentOS) do not validate CVE closure separately. We rebuild source provided by RH, assuming that they have done the due diligence.
2015-04-24 15:31 GMT+03:00 Jim Perrin jperrin@centos.org:
On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
Hi,
I was using CentOS 7 and when I ran some custom commercial security scan
on
my machine, I found about 122 vulnerabilities.
Can you help me on how to get security upgrades on top of my existing CentOS?
The short answer: 'yum update'
The long answer: nearly all commercial scanners test via version number, not actual vulnerabilities. You can take the list of 'vulnerable' packages and the related CVEs and 'rpm -q <package> --changelog | grep -i cve' to see that it's been addressed.
Usually security scanners like nessus, openvas .. detect os misconfigurations like weak ciphers and some basic os misconfigurations
"easy" way to get PASS result is usually just turn off version numbers from services and disable weak ciphers like sslv3, sslv2 and so on...
-- Eero
On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
Hi,
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
Can you help me on how to get security upgrades on top of my existing CentOS?
# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core)
Thanks for the help.
You will need to address each individual issue as one event an track it.
Most security software for ubuntu does not understand the concept of Red hat backporting:
https://access.redhat.com/security/updates/backporting/
Therefore, to check CentOS or RHEL properly for security issues, the software need to be designed to understand what version of a package that Red hat fixed an issue in via their backport .. not how it was fixed in the main upstream project code.
As an example, here is CVE-2014-0226:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226
Red Hat fixes that in these updates:
EL5 and EL6: https://rhn.redhat.com/errata/RHSA-2014-0920.html
EL7: https://rhn.redhat.com/errata/RHSA-2014-0921.html
That means, because of backporting, this issue is fixed in:
EL5: httpd-2.2.3-87.el5_10.src.rpm
EL6: httpd-2.2.15-31.el6_5.src.rpm
EL7: httpd-2.4.6-18.el7_0.src.rpm
If you look at the apache web page for vulnerabilities for httpd 2.2 (http://httpd.apache.org/security/vulnerabilities_22.html) and if you you search for CVE-2014-0226 you will find it is fixed in version 2.2.28 upstream .. but Red Hat fixed it in versions 2.2.3-87 and in version 2.2.15.
If your software thinks that in order to be protected for CVE-2014-0226 that you need version 2.2.28 opr higher apache, then your software kicks out a fail in EL5 if you have version httpd-2.2.3-87 .. but it is NOT a fail. So, bottom line, your software has to know how Red Hat did backports for EL via backporting or it will give false positives.
The same is true for EL7 too .. apache fixes CVE-2014-0226 in 2.4.10 .. Red Hat fixes it in httpd-2.4.6-18.el7_0 .. software needs to know 2.4.10 is not needed because of a backport.
Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku:
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
That's why those scans are wasted money. From a security management point of view they neither help you nor your manager.
Regards
Alexander
On 4/24/2015 12:14 PM, Alexander Dalloz wrote:
Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku:
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
That's why those scans are wasted money. From a security management point of view they neither help you nor your manager.
I call it 'security by bullet list'
John R Pierce wrote:
On 4/24/2015 12:14 PM, Alexander Dalloz wrote:
Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku:
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
That's why those scans are wasted money. From a security management point of view they neither help you nor your manager.
I call it 'security by bullet list'
I would be more interested if the OP had mentioned *what* "custom commercial security scan" tool they'd used.
Thanks for the replies. The tool that we used for testing the security vulnerability is "Nessus".
I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is fixed in this version and I want to apply patch for the vulnerbailities CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the right version that has fixes for these?
Thanks
On Sat, Apr 25, 2015 at 1:05 AM, m.roth@5-cent.us wrote:
John R Pierce wrote:
On 4/24/2015 12:14 PM, Alexander Dalloz wrote:
Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku:
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
That's why those scans are wasted money. From a security management point of view they neither help you nor your manager.
I call it 'security by bullet list'
I would be more interested if the OP had mentioned *what* "custom commercial security scan" tool they'd used.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, Apr 27, 2015 at 02:39:30PM +0530, Venkateswara Rao Dokku wrote:
Thanks for the replies. The tool that we used for testing the security vulnerability is "Nessus".
I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is fixed in this version and I want to apply patch for the vulnerbailities CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the right version that has fixes for these?
You have the latest glibc package available.
Checking upstream, Red Hat has their CVE information here:
https://access.redhat.com/security/cve/CVE-2015-1472 https://access.redhat.com/security/cve/CVE-2015-1473
If you look at the CVE page for the Ghost vulnerability (https://access.redhat.com/security/cve/CVE-2015-0235) it links to any security advisories which would include an update. Both 1472 and 1473 are marked as 'Low' impact so I suspect there won't be any updated package to address it until later.
I would STRONGLY suggest against attempting to build your own glibc.
On Mon, April 27, 2015 12:01 pm, Jonathan Billings wrote:
On Mon, Apr 27, 2015 at 02:39:30PM +0530, Venkateswara Rao Dokku wrote:
Thanks for the replies. The tool that we used for testing the security vulnerability is "Nessus".
I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is fixed in this version and I want to apply patch for the vulnerbailities CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the right version that has fixes for these?
You have the latest glibc package available.
Checking upstream, Red Hat has their CVE information here:
https://access.redhat.com/security/cve/CVE-2015-1472 https://access.redhat.com/security/cve/CVE-2015-1473
If you look at the CVE page for the Ghost vulnerability (https://access.redhat.com/security/cve/CVE-2015-0235) it links to any security advisories which would include an update. Both 1472 and 1473 are marked as 'Low' impact so I suspect there won't be any updated package to address it until later.
I would STRONGLY suggest against attempting to build your own glibc.
This reminds me about old times when RedHat was backporting security patches to older versions of software (whenever applicable) thus keeping the system secure, yet keeping all relying on software internals (which may change with version) still working. This kind of makes "security analyzers" relying on software versions more misleading than helpful. Especially if the sysadmin does his job (sometimes we had to keep older version in place working around some vulnerability to have our system not vulnerable - e.g. turned off ciphers in case of "poodle"). I am not saying anything about Nessus which I never used.
Having a good system, fully updated ( unnecessary services turned of, etc. all done according to securing system checklist) would be the best thing to have. Those security tools... I wish none of good sysadmins has less knowledgeable supervisor armed with one or few of these vulnerability checkers ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 04/27/2015 02:09 AM, Venkateswara Rao Dokku wrote:
Can you please help me in finding the right version that has fixes for these?
Start by accessing Red Hat's CVE database:
https://access.redhat.com/security/cve/
If errata have been published for a CVE entry, they will be listed along with other details.
On 04/27/2015 04:09 AM, Venkateswara Rao Dokku wrote:
Thanks for the replies. The tool that we used for testing the security vulnerability is "Nessus".
I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is fixed in this version and I want to apply patch for the vulnerbailities CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the right version that has fixes for these?
Thanks
I don't know how Nessus works, BUT it seems you need to load all the CentOS Plugins to get it to understand the checks:
http://www.tenable.com/plugins/index.php?view=all&family=CentOS+Local+Se...
I have NO IDEA if those are correct or how up2date they are, etc. But if you are not loading them, you have no chance of it understanding the backporting that redhat does.
On Sat, Apr 25, 2015 at 1:05 AM, m.roth@5-cent.us wrote:
John R Pierce wrote:
On 4/24/2015 12:14 PM, Alexander Dalloz wrote:
Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku:
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
That's why those scans are wasted money. From a security management point of view they neither help you nor your manager.
I call it 'security by bullet list'
I would be more interested if the OP had mentioned *what* "custom commercial security scan" tool they'd used.
Hi,
I have php 5.4.16 php in my centos 7 machine & when I searched over internet I could see it is effected by some vulenrabilities. So I wanted to upgrade my PHP to 5.6.x, but did not find procedure for it.
When I tried yum upgrade php, it says "no packages marked for update"
Can you please give me some pointers so that I can continue.
On Tue, Apr 28, 2015 at 2:11 AM, Johnny Hughes johnny@centos.org wrote:
On 04/27/2015 04:09 AM, Venkateswara Rao Dokku wrote:
Thanks for the replies. The tool that we used for testing the security vulnerability is "Nessus".
I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is
fixed
in this version and I want to apply patch for the vulnerbailities CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the
right
version that has fixes for these?
Thanks
I don't know how Nessus works, BUT it seems you need to load all the CentOS Plugins to get it to understand the checks:
http://www.tenable.com/plugins/index.php?view=all&family=CentOS+Local+Se...
I have NO IDEA if those are correct or how up2date they are, etc. But if you are not loading them, you have no chance of it understanding the backporting that redhat does.
On Sat, Apr 25, 2015 at 1:05 AM, m.roth@5-cent.us wrote:
John R Pierce wrote:
On 4/24/2015 12:14 PM, Alexander Dalloz wrote:
Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku:
I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.
That's why those scans are wasted money. From a security management point of view they neither help you nor your manager.
I call it 'security by bullet list'
I would be more interested if the OP had mentioned *what* "custom commercial security scan" tool they'd used.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 04/30/2015 03:38 AM, Venkateswara Rao Dokku wrote:
Hi,
I have php 5.4.16 php in my centos 7 machine & when I searched over internet I could see it is effected by some vulenrabilities. So I wanted to upgrade my PHP to 5.6.x, but did not find procedure for it.
When I tried yum upgrade php, it says "no packages marked for update"
Can you please give me some pointers so that I can continue.
Security fixes are backported. Don't focus so much on the version numbers. See https://access.redhat.com/security/updates/backporting/
-
Alexander Dalloz -
Eero Volotinen -
Gordon Messmer -
Jim Perrin -
John R Pierce -
Johnny Hughes -
Jonathan Billings -
m.roth@5-cent.us -
Valeri Galtsev -
Venkateswara Rao Dokku