On Mon, April 27, 2015 12:01 pm, Jonathan Billings wrote: > On Mon, Apr 27, 2015 at 02:39:30PM +0530, Venkateswara Rao Dokku wrote: >> Thanks for the replies. The tool that we used for testing the security >> vulnerability is "Nessus". >> >> I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is >> fixed >> in this version and I want to apply patch for the vulnerbailities >> CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the >> right >> version that has fixes for these? > > You have the latest glibc package available. > > Checking upstream, Red Hat has their CVE information here: > > https://access.redhat.com/security/cve/CVE-2015-1472 > https://access.redhat.com/security/cve/CVE-2015-1473 > > If you look at the CVE page for the Ghost vulnerability > (https://access.redhat.com/security/cve/CVE-2015-0235) it links to any > security advisories which would include an update. Both 1472 and 1473 > are marked as 'Low' impact so I suspect there won't be any updated > package to address it until later. > > I would STRONGLY suggest against attempting to build your own glibc. > This reminds me about old times when RedHat was backporting security patches to older versions of software (whenever applicable) thus keeping the system secure, yet keeping all relying on software internals (which may change with version) still working. This kind of makes "security analyzers" relying on software versions more misleading than helpful. Especially if the sysadmin does his job (sometimes we had to keep older version in place working around some vulnerability to have our system not vulnerable - e.g. turned off ciphers in case of "poodle"). I am not saying anything about Nessus which I never used. Having a good system, fully updated ( unnecessary services turned of, etc. all done according to securing system checklist) would be the best thing to have. Those security tools... I wish none of good sysadmins has less knowledgeable supervisor armed with one or few of these vulnerability checkers ;-) Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++