Older CVEs fixed in kernel version of CentOS 6.7 (2.6.32)
Posted: 2018/03/06 05:02:20
We are looking for some information on the CVE's fixed in the latest version of Linux kernel used in CentOS 6.7. Currently our product is running on top of CentOS 6.7 and the version of Linux kernel is 2.6.32-696.18.7.el6.
Our internal security team found out that the base version of Linux kernel(which is 2.6.32) is vulnerable to bunch of security vulnerabilities, like
CVE-2011-1476, CVE-2011-1180, CVE-2009-4536, CVE-2010-1086, CVE-2009-4538 and many more. We are aware that the CentOS team does, backporting of security fixes into lower branches of kernel.
But there is no way to identify if the above mentioned vulnerabilities(most of them are reported way back in 2010 and 2011 and 2012) are fixed in the kernel version (2.6.32-696.18.7.el6) we are currently using.
Have tried with the command (rpm -q --changelog kernel) to identify the fixes went in for the CVEs. But the above mentioned (CVE-2011-1476, CVE-2011-1180) were not listed in the changelog !.
For example the CVE (CVE-2010-1086) reports that Linux kernel 2.6.33 and earlier versions are affected. But RHEL (RHEL 4 and RHEL 5)has provided kernel patches for this CVE as given in the RHSA(https://access.redhat.com/errata/RHSA-2010:0398). The kernel version and release are of lower version(kernel-2.6.18-194.3.1.el5.x86_64.rpm) than the one we are currently using.
We have done our bit of analysing the CVEs and assume that the security vulnerabilities reported are pretty old and hence would have been fixed in the kernel version we currently use. Is there any documentation that we can rely on to show which older version of CVE(s) fixes are part of the current kernel version(2.6.32-696.18.7.el6) we use?
Any pointers would be welcome.
Our internal security team found out that the base version of Linux kernel(which is 2.6.32) is vulnerable to bunch of security vulnerabilities, like
CVE-2011-1476, CVE-2011-1180, CVE-2009-4536, CVE-2010-1086, CVE-2009-4538 and many more. We are aware that the CentOS team does, backporting of security fixes into lower branches of kernel.
But there is no way to identify if the above mentioned vulnerabilities(most of them are reported way back in 2010 and 2011 and 2012) are fixed in the kernel version (2.6.32-696.18.7.el6) we are currently using.
Have tried with the command (rpm -q --changelog kernel) to identify the fixes went in for the CVEs. But the above mentioned (CVE-2011-1476, CVE-2011-1180) were not listed in the changelog !.
For example the CVE (CVE-2010-1086) reports that Linux kernel 2.6.33 and earlier versions are affected. But RHEL (RHEL 4 and RHEL 5)has provided kernel patches for this CVE as given in the RHSA(https://access.redhat.com/errata/RHSA-2010:0398). The kernel version and release are of lower version(kernel-2.6.18-194.3.1.el5.x86_64.rpm) than the one we are currently using.
We have done our bit of analysing the CVEs and assume that the security vulnerabilities reported are pretty old and hence would have been fixed in the kernel version we currently use. Is there any documentation that we can rely on to show which older version of CVE(s) fixes are part of the current kernel version(2.6.32-696.18.7.el6) we use?
Any pointers would be welcome.