[CentOS] libvirt security update CVE-2011-1146

Fri Apr 29 09:53:34 UTC 2011
Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it>

Hello,
I ask here if CentOS has a xml oval repository. This is the reason of my 
question:

Actually I have an automatic system to check CVE vulnerabilities report 
against RedHat OVAL resources, for example:
https://www.redhat.com/security/data/oval/com.redhat.rhsa-2011.xml   for 
2011 CVEs and RHSAs related OVALS

My problem is that while the mechanism works flawlessly regarding 
Scientific Linux, with CentOS I have false positives reports
because the patch level numbers for some rpms is somewhat different from 
the one written in the official RedHat OVALS.

I make an example to explain myself better:

Consider CVE-2011-0020 which corresponds to RHSA-2011:0180-1 security 
advisory and it regards a pango vulnerability.

RedHat calls the updated rpm which addresses the vulnerability as 
pango-1.14.9-8.el5_6.2

CentOS calls it as pango-1.14.9-8.el5.centos.2

so we have:

pango-1.14.9-8.el5_6.2  in the RedHat OVALS while CentOS has 
pango-1.14.9-8.el5.centos.2 and I think they both addresses the 
CVE-2011-0020 vulnerability
but since the naming is different I have a report that my pango RPM on 
CentOS is vulnerable, while on SL with same rpm I have no false 
positives and everything is ok.

So i ask if CentOS has it's own OVAL xml files because I cannot use i na 
realiable way the RedHat OVALS with CentOS for my porpouses.

thank you very much

Rick



On 4/28/11 4:17 PM, Johnny Hughes wrote:
> On 04/28/2011 07:47 AM, Riccardo Veraldi wrote:
>> Hello,
>> I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6 which
>> addresses CVE-2011-1146
>> <https://www.redhat.com/security/data/cve/CVE-2011-1146.html>  vulnerability
>> is not yet available while for example it is on Scientific Linux.
>> Is there any particular reason why the above rpm update is still not
>> available on mirrors ?
>>
> This was pushed, it just had a .el5 instead of .el5_6 dist tag, so it
> looks older than the other update.  Corrected and repushed.
>
> Thanks,
> Johnny Hughes
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20110429/5fbd1ddb/attachment-0005.html>