[CentOS] CentOS 5 Security Updates

Thu Feb 24 19:28:08 UTC 2011
R P Herrold <herrold at centos.org>

On Thu, 24 Feb 2011, Cal Webster wrote:

> java-1.6.0-sun

non FOSS, non-source provided, no?  This is in an addon 
channel in RHEL, and so far as I know we have never shipped 
such

Of the others the wireshark update is a periodic update of 
some edge case dissectors [these developers are quite good 
about releasing time based 'fixes' for their tool -- a 
different model than upstream, but perfectly valid], and if 
nominally remotely exploitable, as a practical matter, not a 
material threat

The kerberos update crossed vendor-sec, but seems again to be 
an edge case hole

The pgsql update is nominally exploitable, but any sensible 
environment uses iptables and network segment isolation rather 
than adding a world listening daemon

I have commented earlier on my distress at the openjdk 
update NOT crossing vendor-sec.  This said, again, who in 
their right mind exposes an unprotected Java listener 
application to the wild?

I saw that another in the project mentioned 'bypassing' the 
5.6 respin and testing delays for truly exploitable matter. 
The potential 'bind' updates dos attack vector turned out not 
to affect anything CentOS has shipped in base and updates, and 
so was a 'false positive' as prior discusseio here has noted

If one wants SLA and deterministic intervals between 
announcement and release, it is just not that hard to set up 
one off building and updates from released sources upstream, 
and so one can have it at the price of a little learning and 
experimentation.

Alternatively, CentOS releases promptly on the usual norm, and 
during 'point' update times, falls back to trying to avoid 
'dependency skew' problems by considering the potential 
disruption for millions of machines each needing manual 
depsolving intervention, vs. getting the nest update build and 
QA's and out the door in a durable fashion.

If that is not 'quick enough', see the prior paragraph about 
self-building; or seek a vendor who will sell you the SLA you 
deem you require.  This is a simple 'build vs buy' decision

[I might note that I have seen NO filed bug in the CentOS 
tracker asserting a need for any of the listed updates on an 
expedited basis]

-- Russ herrold