[CentOS] A potentially newbie question about vulnerability patching speed in CentOS 7.x's yum repository

Wed Aug 30 09:18:54 UTC 2017
Fabian Arrotin <arrfab at centos.org>

On 30/08/17 11:09, 知乎申诉处理 wrote:
> I've been dubbing with management of security vulnerabilities and their fixes for a while, recently I discovered there may be a delay in the process of software updates made available on CentOS yum repository. 
> take CVE-2017-5335 for example:
> In redhat official notice board :https://access.redhat.com/security/cve/cve-2017-5335  we can see there is a link point to advisory for RHEL 7: https://access.redhat.com/errata/RHSA-2017:2292 . from there we can see that the fix happens at gnutls 3.3.26. 
> But when trying to update with yum update from a CentOS 7.3 x64 machine. there is no 3.3.26 available. Only available rpm for CentOS 7.3.1611 for x86_64 is gnutls-3.3.24.
> This result can be verified using rpm finder: https://www.rpmfind.net/linux/rpm2html/search.php?query=gnutls
> Same problem happens to other software packages such as:
> glibc
> tcpdump
> libnl
> mariadb
> ...
> (and many others)
> Why is that? and are those software packages not going to get fixed?
> - p.s. please excuse me for any formating issues.  :) 
> Jeff

You're searching for packages that are already built but in an "interim"
repository : RHEL 7.4 was released but CentOS 7.4.1708 isn't yet
available, while packages are built (almost all of them)

and you'll have all the packages you're looking for

Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20170830/90674238/attachment-0004.sig>