[CentOS-devel] CVE-2011-3192 rpms for CentOS 5 still pending?

Wed Sep 7 15:27:28 UTC 2011
Leon Fauster <leonfauster at googlemail.com>

Am 07.09.2011 um 15:11 schrieb dfrg.msc:
> 2011/9/7 Ned Slider <ned at unixmail.co.uk>:
>> On 07/09/11 05:20, dfrg.msc wrote:
>>> According to the CentOS-CR-Announce list, there is recently an update
>>> for httpd in CentOS 5 CR repo. But the announcement
>>> http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.html
>>> refers to upstream RHBA-2011-1067, which is the version released with
>>> 5.7 base packages. Upstream has an update for CVE-2011-3192 whose
>>> announcement is RHSA-2011-1245, and this update of httpd has version
>>> number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo
>>> (2.2.3-53.el5.centos). Maybe there should be another update for httpd
>>> in CentOS 5 CR repo.
>>> BTW, any update on C6.1 (or 6.0 CR packages)?
>>> 
>>> Regards.
>> 
>> 
>> Please see this extremely lengthy thread for an explanation as to why
>> this is confusing:
>> 
>> http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html
>> 
>> You can not go by the package name-version-release string alone as
>> CentOS change this. Try examining the changelog and look for the above
>> CVE's.
>> 
> I understand. So there is already CVE-2011-3192 rpms uploaded to
> CentOS 5 CR repo, but no announcement posted yet.


Thats correct: 

rpm -qp --changelog http://mirror.centos.org/centos-5/5/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos.1.x86_64.rpm | head


--
LF