[CentOS-devel] yum-plugin-security and shellshock
Pat Riehecky
riehecky at fnal.gov
Thu Oct 2 17:00:18 UTC 2014
On 10/02/2014 03:39 AM, Karanbir Singh wrote:
> even to the point that when heartbleed
> happened - I had to go remind them that every SL version and every user
> instance was exploiteable; unlike RHEL and CentOS where only folks who
> had updated in the few weeks leading upto the issue being reported.
There were about 12 weeks between the publication of SA-2014:0015
(January) and SA-2014:0376 (April) by RedHat, CentOS and SL.
Your notification was considerate, but did not provide any new
information. We had already published the SA-2014:0376 update for all SL
6 releases and notified our userbase.
Per our publication practices, we published the SA-2014:0015 (security
classification Important) for all SL6 releases. It protected against
the following CVEs:
CVE-2013-6449
CVE-2013-6450
CVE-2013-4353
Similarly, we published SA-2014:0376 (security classification Important)
for all SL6 releases. It protected against the following CVE:
CVE-2014-0160 (heartbleed)
OpenSSL packages published before SA-2014:0015 contain CVE-2013-6449
CVE-2013-6450. BA-2013:1585-1 contains CVE-2013-4353. OpenSSL packages
published after BA-2013:1585-1 and before SA-2014:0376 contain
CVE-2014-0160.
We were fully aware of which versions of openssl contained CVE-2014-0160
and which SL versions contained the vulnerability.
Pat
--
Pat Riehecky
Scientific Linux developer
http://www.scientificlinux.org/
More information about the CentOS-devel
mailing list