[CentOS-devel] yum-plugin-security and shellshock

Thu Oct 2 17:00:18 UTC 2014
Pat Riehecky <riehecky at fnal.gov>

On 10/02/2014 03:39 AM, Karanbir Singh wrote:
> even to the point that when heartbleed
> happened - I had to go remind them that every SL version and every user
> instance was exploiteable; unlike RHEL and CentOS where only folks who
> had updated in the few weeks leading upto the issue being reported.

There were about 12 weeks between the publication of SA-2014:0015 
(January) and SA-2014:0376 (April) by RedHat, CentOS and SL.

Your notification was considerate, but did not provide any new 
information. We had already published the SA-2014:0376 update for all SL 
6 releases and notified our userbase.

Per our publication practices, we published the SA-2014:0015 (security 
classification Important) for all SL6 releases.  It protected against 
the following CVEs:
CVE-2013-6449
CVE-2013-6450
CVE-2013-4353

Similarly, we published SA-2014:0376 (security classification Important) 
for all SL6 releases.  It protected against the following CVE:
CVE-2014-0160 (heartbleed)

OpenSSL packages published before SA-2014:0015 contain CVE-2013-6449 
CVE-2013-6450.  BA-2013:1585-1 contains CVE-2013-4353.  OpenSSL packages 
published after BA-2013:1585-1 and before SA-2014:0376 contain 
CVE-2014-0160.

We were fully aware of which versions of openssl contained CVE-2014-0160 
and which SL versions contained the vulnerability.

Pat

-- 
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/