[CentOS-devel] CVE-2011-3192 rpms for CentOS 5 still pending?

Wed Sep 7 07:22:49 UTC 2011
Gianluca Cecchi <gianluca.cecchi at gmail.com>

On Wed, Sep 7, 2011 at 7:38 AM, Ned Slider <ned at unixmail.co.uk> wrote:
> On 07/09/11 05:20, dfrg.msc wrote:
>> According to the CentOS-CR-Announce list, there is recently an update
>> for httpd in CentOS 5 CR repo. But the announcement
>> http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.html
>> refers to upstream RHBA-2011-1067, which is the version released with
>> 5.7 base packages. Upstream has an update for CVE-2011-3192 whose
>> announcement is RHSA-2011-1245, and this update of httpd has version
>> number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo
>> (2.2.3-53.el5.centos). Maybe there should be another update for httpd
>> in CentOS 5 CR repo.
>> BTW, any update on C6.1 (or 6.0 CR packages)?
>>
>> Regards.
>
>
> Please see this extremely lengthy thread for an explanation as to why
> this is confusing:
>
> http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html
>
> You can not go by the package name-version-release string alone as
> CentOS change this. Try examining the changelog and look for the above
> CVE's.
>


I think the sender was meaning about the RHBA/RHSA numbers.
If the referred CR package contains both the RHBA-2011-1067 and
RHSA-2011-1245 I think they should be both present in the body of the
announce message, so also the link:
http://rhn.redhat.com/errata/RHSA-2011-1245.html

Gianluca

BTW: +1 for the question about CentOS 6.1 and 6.0CR updates..