[CentOS] CVE-2014-0196 and upgrade of Centos 6

Johnny Hughes

johnny at centos.org
Thu May 29 12:46:19 UTC 2014


On 05/29/2014 07:04 AM, Jason Pyeron wrote:
>> -----Original Message-----
>> From: Alexander Danilov
>> Sent: Thursday, May 29, 2014 7:14
>>
>> Hi,
>>
>> I have a question about this vulnerability. Could someone 
>> please help me 
> Google can help.
>
> https://www.google.com/search?q=CVE-2014-0196 gives you
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196
> And that says https://bugzilla.redhat.com/show_bug.cgi?id=1094232 which says
> https://rhn.redhat.com/errata/RHSA-2014-0512.html
>
> Or I like to search this way:
>
> https://www.google.com/search?q=CVE-2014-0196+%2Bsite%3Aredhat.com
>
>> which packages i should upgrade in Centos 6 to fix this 
>> vulnerability? I 
>> don't want to perform upgrade of whole system with "yum upgrade".
> Kernel, if applicable. You did not give enough information to determine an
> answer.
>
> -Jason

I want to be very clear on CVE's and the way they are tested at CentOS.

First, I want to ensure everyone knows that CentOS does NOT usually do
any verification with respect to CVE issues.  We build what Red Hat
releases when they release it.  Their security and engineering teams are
the ones that research the problem, develop a plan, write code, build
the new packages and test to verify that:

1) There was a problem that needs fixing.
2) The fix proposed actually fixes the vulnerability (in RHEL).

We then grab the released code after Red Hat publicly releases it and
build it for CentOS.

What does this mean for CentOS users ... it means that YOU are
responsible to test the there is no longer an issue in YOUR environment
after you do the install.  If you want a CERTIFIED fix that has been
tested, that is what Red Hat provides in RHEL.  The reason they charge a
subscription price is because the do all this testing and they provide
assurance that the issues are known, fixed, tested, and certified as
mitigated.

All of that being said, If you are concerned with the Security aspects
of an update, you have to have ALL updates before that one also
installed.  If you have an older glibc then why would you think that
something that calls that library would necessarily be secure by adding
an update to the Kernel.  All libraries (so ALL PREVIOUS PACKAGES),
INCLUDING the package in question that fixes the CVE, need to be
installed to be confident that you have mitigated a problem.  This is
CLEARLY stated on every Red Hat security page ... here is a quote from
the CVE you asked about:

"Before applying this update, make sure all previously released errata
relevant to your system have been applied."

You can't JUST install the package that has the CVE fix and leave
everything else at an older level.  Certainly if you do, you must
validate that in THAT scenario (old packageZ, older packageY, new
packageX).  Even in RHEL, if you only install one Security update and
none of the preceding updates, you would need to test that the issue was
mitigated in that scenario as that would NOT have been tested or
certified by any team.

=========

Complicating this specific issue ... you asked about  "CVE-2014-0196"
... that is NOT an issue that impacts CentOS-6.5 ... it is an issue that
is released for "Red Hat Enterprise Linux Server EUS (v. 6.3.z)". 

See this link:
https://rhn.redhat.com/errata/RHSA-2014-0512.html

CentOS does not and has never done the EUS builds ... as Red Hat does
not and has never released the sources for the Extended Update Service
streams. 

If you want EUS capability (and it is certainly a good thing to have),
then you need a RHEL subscription.

=========

To be clear, installing only Security Updates and not also all updates
preceding that Security Update is not (nor has it ever been) recommended
... if you do it, you are not using a tested configuration.  This is
true of ANY operating system, not just CentOS.


Thanks,
Johnny Hughes





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20140529/93eba8de/attachment-0001.sig>


More information about the CentOS mailing list