[CentOS-devel] yum-plugin-security and shellshock
Pat Riehecky
riehecky at fnal.gov
Thu Oct 2 18:28:01 UTC 2014
On 10/02/2014 12:31 PM, Karanbir Singh wrote:
> On 10/02/2014 06:00 PM, Pat Riehecky wrote:
>> We were fully aware of which versions of openssl contained CVE-2014-0160
>> and which SL versions contained the vulnerability.
> excellent, but you completely missed the point where all of SL installs
> were potentially at risk, with no way to factor back or check any state
> since there is no CVE validation being done.
>
> or are you doing cve validations and testing expoits actively now ?
>
>
The CentOS Devel list seems to be the incorrect place to debate SL
update policies.
SLSA-2014:0376 was verified to fix CVE-2014-0160 on SL 6.0, 6.1, 6.2,
6.3, 6.4, and 6.5 for both i686 and x86_64.
Without SLSA-2014:0015, SL 6.0, 6.1, 6.2, 6.3, and 6.4 systems are
vulnerable to CVE-2013-6449 CVE-2013-6450.
Pat
--
Pat Riehecky
Scientific Linux developer
http://www.scientificlinux.org/
More information about the CentOS-devel
mailing list