[CentOS-devel] yum-plugin-security and shellshock

Thu Oct 2 18:28:01 UTC 2014
Pat Riehecky <riehecky at fnal.gov>

On 10/02/2014 12:31 PM, Karanbir Singh wrote:
> On 10/02/2014 06:00 PM, Pat Riehecky wrote:
>> We were fully aware of which versions of openssl contained CVE-2014-0160
>> and which SL versions contained the vulnerability.
> excellent, but you completely missed the point where all of SL installs
> were potentially at risk, with no way to factor back or check any state
> since there is no CVE validation being done.
>
> or are you doing cve validations and testing expoits actively now ?
>
>

The CentOS Devel list seems to be the incorrect place to debate SL 
update policies.

SLSA-2014:0376 was verified to fix CVE-2014-0160 on SL 6.0, 6.1, 6.2, 
6.3, 6.4, and 6.5 for both i686 and x86_64.

Without SLSA-2014:0015, SL 6.0, 6.1, 6.2, 6.3, and 6.4 systems are 
vulnerable to CVE-2013-6449 CVE-2013-6450.

Pat

-- 
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/