[CentOS] Centos security update

Fri Apr 24 12:31:28 UTC 2015
Jim Perrin <jperrin at centos.org>


On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote:
> Hi,
> 
> I was using CentOS 7 and when I ran some custom commercial security scan on
> my machine, I found about 122 vulnerabilities.
> 
> Can you help me on how to get security upgrades on top of my existing
> CentOS?

The short answer: 'yum update'

The long answer: nearly all commercial scanners test via version number,
not actual vulnerabilities. You can take the list of 'vulnerable'
packages and the related CVEs and 'rpm -q <package> --changelog | grep
-i cve' to see that it's been addressed.

Alternatively, upstream maintains a cve database at
https://access.redhat.com/security/cve/ where you can search the CVE and
match related (or newer) versions.

I have a very long profanity-laden rant about commercial scanning
software and practices that I'll spare folks from. TL;DR it's all
terrible, and the vendors have little to no incentive for fixing it.



Note: we (CentOS) do not validate CVE closure separately. We rebuild
source provided by RH, assuming that they have done the due diligence.



-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77