[CentOS] OpenSSL Update - not a security update???
Johnny Hughes
johnny at centos.org
Wed Mar 2 03:58:03 UTC 2016
On 03/01/2016 09:41 PM, Johnny Hughes wrote:
> On 03/01/2016 09:17 PM, Peter wrote:
>> On 02/03/16 15:57, Anthony K wrote:
>>> This command output is odd:
>>>
>>> yum update --security
>>> ...
>>> No packages needed for security; 118 packages available
>> ...
>>> Why does yum not consider this CESA a security update?
>>
>> Cherry-picking updates is not supported by CentOS, this is because each
>> package is built on a system with all previous updates applied and as
>> such each update that you install should have all previous updates
>> applied or there can be problems.
>>
>> As such CentOS does not support the --security option for yum, nor does
>> it support the yum-security plugin. You are expected to update your
>> entire system, not to do so will leave you with an unsupported system.
>> Also there will be other packages as well that have security issues that
>> need updating.
>
> RHEL does not support only security updates either .. they do have
> things like AUS / EAS .. but those things require all updates to be
> installed, not just all security updates.
>
> If you look at this update:
>
> https://access.redhat.com/errata/RHSA-2016:0303
>
> Look in the *Solution* section:
>
> "Before applying this update, make sure all previously released errata
> relevant to your system have been applied."
>
> That does not say all security errata .. it says all errata. The same
> thing is on every Red Hat errata page. They expect that you are
> running whatever is an updated system. If you are running AUS or EUS,
> they still expect you to do all updates for that repo, not just security
> updates.
>
> BUt the security plugins do not work for CentOS and they never have,
> Peter is correct, you need to run yum update or call out the specific
> packages you want updated.
>
> You can look at the announce list to figure out which ones are SA or BA
> or EA .. but you want all of them, as they go together.
Also, just installing the update is not enough, you also need to make
sure SSLv2 is disabled on the appropriate services:
http://red.ht/1pngpQ2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160301/a26a1233/attachment.sig>
More information about the CentOS
mailing list