[CentOS-devel] missing important EL6 patch for qemu CVE-2016-3710 ?

Sun May 15 15:44:57 UTC 2016
Johnny Hughes <johnny at centos.org>

On 05/13/2016 07:59 AM, Sven Kieske wrote:
> Hi,
> 
> I saw no announcement on centos-announce
> for this:
> 
> https://rhn.redhat.com/errata/RHSA-2016-0997.html
> 
> has it fallen through the cracks somehow?
> 
> I find the corresponding update for EL7, but not for EL6.
> 
> It would be nice if someone could investigate this.
> 
> I also didn't find the necessary versions on my local mirror synced, e.g.:
> 
> qemu-kvm-0.12.1.2-2.491.el6_8.1.x86_64.rpm
> 
> Is this due to the work done in preparation for EL 6.8 release?
> 
> But I also do not find any CR repo yet.

There were 350 or so SRPMs and 3050 RPMs as part of the 6.8 update set.

We (the CentOS team) get access to the SRPMs the same time as everyone
else, when they shoe up on the public ftp server. Then we have to
download and build them.

It takes some finite amount of time to make those build .. and they
never build in the correct order first time around.  So several need to
be rebuilt.  They then need to go through some quick QA by the QA team.

Then we can release them into the CR repo.  Historically this happens
w/in 10 days.  In this case it SHOULD happen on Monday (May 16th,
tomorrow, 6 days after the RHEL 6.8 release date.

Historically, the final CentOS point released happens 10-21 days after
the CR release .. so that would put the final release of CentOS-6.8 at
somewhere between 26 May and 11 June.  Why so long .. we have to further
test the RPMs, we have to generate new ISOs with a new comps file and
test all the isos.  We have to generate and test cloud images and KVM
images.

> 
> As this is an important update I'd like to know if there is help
> needed to get it out faster.

Since Red Hat based this on top up the 6.8 release, I first have to
build 6.8, then build these .el6_8 updates against 6.8.

Had they released these updates built against 6.7, I could have built
them and released them against 6.7.  That's just how it goes.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20160515/8452dbd0/attachment-0008.sig>