[CentOS] A good Centos CVE FAQ entry being born here Was: RE: CVE-2014-0196 and upgrade of Centos 6

[Jason Pyeron]

> -----Original Message-----
> From: Johnny Hughes
> Sent: Thursday, May 29, 2014 8:46
> 
> I want to be very clear on CVE's and the way they are tested 
> at CentOS.
> 
> First, I want to ensure everyone knows that CentOS does NOT usually do
> any verification with respect to CVE issues.  We build what Red Hat
> releases when they release it.  Their security and 
> engineering teams are
> the ones that research the problem, develop a plan, write code, build
> the new packages and test to verify that:
> 
> 1) There was a problem that needs fixing.
> 2) The fix proposed actually fixes the vulnerability (in RHEL).
> 
> We then grab the released code after Red Hat publicly releases it and
> build it for CentOS.
> 
> What does this mean for CentOS users ... it means that YOU are
> responsible to test the there is no longer an issue in YOUR 
> environment
> after you do the install.  If you want a CERTIFIED fix that has been
> tested, that is what Red Hat provides in RHEL.  The reason 
> they charge a
> subscription price is because the do all this testing and they provide
> assurance that the issues are known, fixed, tested, and certified as
> mitigated.
> 
> All of that being said, If you are concerned with the Security aspects
> of an update, you have to have ALL updates before that one also
> installed.  
E.g. 
> If you have an older glibc then why would you think that
> something that calls that library would necessarily be secure 
> by adding
> an update to the Kernel.  

> All libraries (so ALL PREVIOUS PACKAGES),
> INCLUDING the package in question that fixes the CVE, need to be
> installed to be confident that you have mitigated a problem.  This is
> CLEARLY stated on every Red Hat security page ... here is a quote from

an exemplar CVE from the upstream provider:

> 
> "Before applying this update, make sure all previously released errata
> relevant to your system have been applied."
> 
> You can't JUST install the package that has the CVE fix and leave
> everything else at an older level.  Certainly if you do, you must
> validate that in THAT scenario (old packageZ, older packageY, new
> packageX).  Even in RHEL, if you only install one Security update and
> none of the preceding updates, you would need to test that 
> the issue was
> mitigated in that scenario as that would NOT have been tested or
> certified by any team.
> 
<snip/>
> 
> To be clear, installing only Security Updates and not also all updates
> preceding that Security Update is not (nor has it ever been) 
> recommended
> ... if you do it, you are not using a tested configuration.  This is
> true of ANY operating system, not just CentOS.


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.