[CentOS] Centos security update

Mon Apr 27 17:18:24 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Mon, April 27, 2015 12:01 pm, Jonathan Billings wrote:
> On Mon, Apr 27, 2015 at 02:39:30PM +0530, Venkateswara Rao Dokku wrote:
>> Thanks for the replies. The tool that we used for testing the security
>> vulnerability is "Nessus".
>>
>> I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is
>> fixed
>> in this version and I want to apply patch for the vulnerbailities
>> CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the
>> right
>> version that has fixes for these?
>
> You have the latest glibc package available.
>
> Checking upstream, Red Hat has their CVE information here:
>
> https://access.redhat.com/security/cve/CVE-2015-1472
> https://access.redhat.com/security/cve/CVE-2015-1473
>
> If you look at the CVE page for the Ghost vulnerability
> (https://access.redhat.com/security/cve/CVE-2015-0235) it links to any
> security advisories which would include an update.  Both 1472 and 1473
> are marked as 'Low' impact so I suspect there won't be any updated
> package to address it until later.
>
> I would STRONGLY suggest against attempting to build your own glibc.
>

This reminds me about old times when RedHat was backporting security
patches to older versions of software (whenever applicable) thus keeping
the system secure, yet keeping all relying on software internals (which
may change with version) still working. This kind of makes "security
analyzers" relying on software versions more misleading than helpful.
Especially if the sysadmin does his job (sometimes we had to keep older
version in place working around some vulnerability to have our system not
vulnerable - e.g. turned off ciphers in case of "poodle"). I am not saying
anything about Nessus which I never used.

Having a good system, fully updated ( unnecessary services turned of, etc.
all done according to securing system checklist) would be the best thing
to have. Those security tools... I wish none of good sysadmins has less
knowledgeable supervisor armed with one or few of these vulnerability
checkers ;-)

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++