On 04/24/2015 04:21 AM, Venkateswara Rao Dokku wrote: > Hi, > > I was using CentOS 7 and when I ran some custom commercial security scan on > my machine, I found about 122 vulnerabilities. > > Can you help me on how to get security upgrades on top of my existing > CentOS? > > # cat /etc/redhat-release > CentOS Linux release 7.1.1503 (Core) > > Thanks for the help. > You will need to address each individual issue as one event an track it. Most security software for ubuntu does not understand the concept of Red hat backporting: https://access.redhat.com/security/updates/backporting/ Therefore, to check CentOS or RHEL properly for security issues, the software need to be designed to understand what version of a package that Red hat fixed an issue in via their backport .. not how it was fixed in the main upstream project code. As an example, here is CVE-2014-0226: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226 Red Hat fixes that in these updates: EL5 and EL6: https://rhn.redhat.com/errata/RHSA-2014-0920.html EL7: https://rhn.redhat.com/errata/RHSA-2014-0921.html That means, because of backporting, this issue is fixed in: EL5: httpd-2.2.3-87.el5_10.src.rpm EL6: httpd-2.2.15-31.el6_5.src.rpm EL7: httpd-2.4.6-18.el7_0.src.rpm If you look at the apache web page for vulnerabilities for httpd 2.2 (http://httpd.apache.org/security/vulnerabilities_22.html) and if you you search for CVE-2014-0226 you will find it is fixed in version 2.2.28 upstream .. but Red Hat fixed it in versions 2.2.3-87 and in version 2.2.15. If your software thinks that in order to be protected for CVE-2014-0226 that you need version 2.2.28 opr higher apache, then your software kicks out a fail in EL5 if you have version httpd-2.2.3-87 .. but it is NOT a fail. So, bottom line, your software has to know how Red Hat did backports for EL via backporting or it will give false positives. The same is true for EL7 too .. apache fixes CVE-2014-0226 in 2.4.10 .. Red Hat fixes it in httpd-2.4.6-18.el7_0 .. software needs to know 2.4.10 is not needed because of a backport. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150424/462bad2e/attachment-0005.sig>