Workstations remotely vulnerable, servers exposed to DOS attacks

[pza81]

h_fat wrote:
[quote]In my opinion, CentOS 6.0 without custom updates should not be used in any kind of live environment at the moment.[/quote]

I couldn't agree more. A number of the vulnerabilities (both server and desktop based) have easy to find exploits available on the web.

This very serious problem isn't mentioned anywhere on the web site. In fact, the front page states opposite:
[i]"Since upstream has a 6.1 version already released, we will be using a Continous Release repository for 6.0 to bring all 6.1 and post 6.1 security updates to all 6.0 users, till such time as CentOS-6.1 is released itself."
"CentOS has numerous advantages over some of the other clone projects including: ... quickly rebuilt, tested, and QA'ed errata packages"[/i]

For a distro which prides Enterprise in it's title, this is extremely irresponsible. I still don't understand why the CentOS devs don't seriously accept offers of assistance, or behave in a more transparent manner. It seems like they are more interested in an ego trip than a reputable, secure product.

[pza81]

CR repository is now available for 6.0 which has many of the critical updates, apparently all should be up in a few days. Still a bit sad that centos isn't secure by default, requiring additional configuration to get many critical fixes. All too little, all too late I think.

https://www.centos.org/modules/newbb/viewtopic.php?topic_id=33458&forum=53
http://wiki.centos.org/AdditionalResources/Repositories/CR

[svillano]

I'd love to see some updates.
I'm an information security professional and one of my top pet peeves is no security updates!
CentOs bills the project as free enterprise level Linux. Indeed, were any enterprise product to not release security updates, said product owner would quickly be out of business due to litigation!
There are vulnerabilities from 2009 in the current release!

I don't gripe without documentation, attached is an OpenVAS scan of a virtual machine in my test lab.
I'll be passing said report around during our weekly meeting, as there has been some interest in CentOs. I sincerely doubt our clients will be interested in it.
They'll just go with RHEL and a contract.

[svillano]

Well, couldn't upload the file, as the directory permissions on the server are wrong to permit it.
From the folks with "enterprise class" software.
I'll be nice and await an official response before I put a web block on CentOs's sites.

[TrevorH]

If you're just running openvas/nessus and taking any vulnerabilities that they find at face value then you need to investigate further. A large number of nessus tests just examine the reported version number of the product as reported in the service banner and this leads to a lot of false positives. Redhat backport security fixes to the older releases and keep the version numbers the same so a check that says to itself "are you running 5.0.0 of this product, oh dear there's a problem" will give a false positive on RHEL based systems where the fix from 6.0.0 has been backported while they still ship 5.0.0 of the product.

You need to grab a CVE number then run

[code]
rpm -q --changelog $productname | grep CVE-xxx-xxx
[/code]

and even then you cannot tell if it's a false positive for sure. Next step is to google CVE-xxx-xxx +site:redhat.com and see if there is a RH bugzilla entry about that CVE. Many times this will say "CVE-xxx-xxx is not applicable to the version shipped with RHEL x because..."

[r_hartman]

Amazing how some 'security professionals' fall into this little gotcha time and time again. You'd expect a 'professional' to obtain some background knowledge on the OS he (or she) is auditing. Like the documented fact that CentOS is a clone of RHEL. Like the documented fact that RHEL backports fixes.

Imagine the embarrassment when this guy has all of his clients go RHEL on these findings, only to have to confess later on that his software comes back with the exact same findings on RHEL as on CentOS. In the process damaging RHEL's reputation (with his clients) as he now is about to do CentOS's. Just because he's clueless.

I'd advise his clients to go with a different 'security professional'. Ignorance is no excuse for incompetence. And arrogance does not compensate that.

On top of that he's hijacking another poster's thread, against forum rules, which he probably also did not read.
Right.

[AlanBartlett]

This thread is now both redundant and obsolete.

To stop further hijackings, it is now locked.

Thank you, [b]René[/b], for clarifying the situation for those who fail to do their "homework".