On 05/29/2014 07:04 AM, Jason Pyeron wrote: >> -----Original Message----- >> From: Alexander Danilov >> Sent: Thursday, May 29, 2014 7:14 >> >> Hi, >> >> I have a question about this vulnerability. Could someone >> please help me > Google can help. > > https://www.google.com/search?q=CVE-2014-0196 gives you > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196 > And that says https://bugzilla.redhat.com/show_bug.cgi?id=1094232 which says > https://rhn.redhat.com/errata/RHSA-2014-0512.html > > Or I like to search this way: > > https://www.google.com/search?q=CVE-2014-0196+%2Bsite%3Aredhat.com > >> which packages i should upgrade in Centos 6 to fix this >> vulnerability? I >> don't want to perform upgrade of whole system with "yum upgrade". > Kernel, if applicable. You did not give enough information to determine an > answer. > > -Jason I want to be very clear on CVE's and the way they are tested at CentOS. First, I want to ensure everyone knows that CentOS does NOT usually do any verification with respect to CVE issues. We build what Red Hat releases when they release it. Their security and engineering teams are the ones that research the problem, develop a plan, write code, build the new packages and test to verify that: 1) There was a problem that needs fixing. 2) The fix proposed actually fixes the vulnerability (in RHEL). We then grab the released code after Red Hat publicly releases it and build it for CentOS. What does this mean for CentOS users ... it means that YOU are responsible to test the there is no longer an issue in YOUR environment after you do the install. If you want a CERTIFIED fix that has been tested, that is what Red Hat provides in RHEL. The reason they charge a subscription price is because the do all this testing and they provide assurance that the issues are known, fixed, tested, and certified as mitigated. All of that being said, If you are concerned with the Security aspects of an update, you have to have ALL updates before that one also installed. If you have an older glibc then why would you think that something that calls that library would necessarily be secure by adding an update to the Kernel. All libraries (so ALL PREVIOUS PACKAGES), INCLUDING the package in question that fixes the CVE, need to be installed to be confident that you have mitigated a problem. This is CLEARLY stated on every Red Hat security page ... here is a quote from the CVE you asked about: "Before applying this update, make sure all previously released errata relevant to your system have been applied." You can't JUST install the package that has the CVE fix and leave everything else at an older level. Certainly if you do, you must validate that in THAT scenario (old packageZ, older packageY, new packageX). Even in RHEL, if you only install one Security update and none of the preceding updates, you would need to test that the issue was mitigated in that scenario as that would NOT have been tested or certified by any team. ========= Complicating this specific issue ... you asked about "CVE-2014-0196" ... that is NOT an issue that impacts CentOS-6.5 ... it is an issue that is released for "Red Hat Enterprise Linux Server EUS (v. 6.3.z)". See this link: https://rhn.redhat.com/errata/RHSA-2014-0512.html CentOS does not and has never done the EUS builds ... as Red Hat does not and has never released the sources for the Extended Update Service streams. If you want EUS capability (and it is certainly a good thing to have), then you need a RHEL subscription. ========= To be clear, installing only Security Updates and not also all updates preceding that Security Update is not (nor has it ever been) recommended ... if you do it, you are not using a tested configuration. This is true of ANY operating system, not just CentOS. Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20140529/93eba8de/attachment-0004.sig>