> -----Original Message----- > From: Johnny Hughes > Sent: Thursday, May 29, 2014 8:46 > > I want to be very clear on CVE's and the way they are tested > at CentOS. > > First, I want to ensure everyone knows that CentOS does NOT usually do > any verification with respect to CVE issues. We build what Red Hat > releases when they release it. Their security and > engineering teams are > the ones that research the problem, develop a plan, write code, build > the new packages and test to verify that: > > 1) There was a problem that needs fixing. > 2) The fix proposed actually fixes the vulnerability (in RHEL). > > We then grab the released code after Red Hat publicly releases it and > build it for CentOS. > > What does this mean for CentOS users ... it means that YOU are > responsible to test the there is no longer an issue in YOUR > environment > after you do the install. If you want a CERTIFIED fix that has been > tested, that is what Red Hat provides in RHEL. The reason > they charge a > subscription price is because the do all this testing and they provide > assurance that the issues are known, fixed, tested, and certified as > mitigated. > > All of that being said, If you are concerned with the Security aspects > of an update, you have to have ALL updates before that one also > installed. E.g. > If you have an older glibc then why would you think that > something that calls that library would necessarily be secure > by adding > an update to the Kernel. > All libraries (so ALL PREVIOUS PACKAGES), > INCLUDING the package in question that fixes the CVE, need to be > installed to be confident that you have mitigated a problem. This is > CLEARLY stated on every Red Hat security page ... here is a quote from an exemplar CVE from the upstream provider: > > "Before applying this update, make sure all previously released errata > relevant to your system have been applied." > > You can't JUST install the package that has the CVE fix and leave > everything else at an older level. Certainly if you do, you must > validate that in THAT scenario (old packageZ, older packageY, new > packageX). Even in RHEL, if you only install one Security update and > none of the preceding updates, you would need to test that > the issue was > mitigated in that scenario as that would NOT have been tested or > certified by any team. > <snip/> > > To be clear, installing only Security Updates and not also all updates > preceding that Security Update is not (nor has it ever been) > recommended > ... if you do it, you are not using a tested configuration. This is > true of ANY operating system, not just CentOS. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.