When are we going to have ntp-4.2.8p 10 release with the fixes for mentioned CVEs??
Is ntp-4.2.6p5-25.el7.centos.2.x86_64.rpm vulnerable to these ???
Fix for CVE-2017-6464, CVE-2017-6463, CVE-2017-6462
-
nupurpriya
- Posts: 86
- Joined: 2016/10/14 12:07:18
Re: Fix for CVE-2017-6464, CVE-2017-6463, CVE-2017-6462
Looking at your posting history shows that you are concerned about various vulnerabilities. In principle, that's a good thing, but all the information that is available about the vulnerabilities and any pending fixes is already published by Red Hat. The CentOS Project guys and gals don't have any better information than that. In particular, we don't know when some version of a package might be released by Red Hat. It's entirely RH's decision and they tend to keep the information under wraps.
In general, if you are concerned about some CVE, the things to look for are:
Bugzilla:
And for completeness, the usual backporting page will describe the way fixes get included in RH/CentOS packages. Even if upstream says "fixed in version X", RH may (and usually does) decide to backport the fix to an older version.
These methods will work for all packages in RH/CentOS.
In general, if you are concerned about some CVE, the things to look for are:
Bugzilla:
- https://bugzilla.redhat.com/show_bug.cg ... -2017-6462
- https://bugzilla.redhat.com/show_bug.cg ... -2017-6463
- https://bugzilla.redhat.com/show_bug.cg ... -2017-6464
- https://access.redhat.com/security/cve/cve-2017-6462
- https://access.redhat.com/security/cve/cve-2017-6463
- https://access.redhat.com/security/cve/cve-2017-6464
And for completeness, the usual backporting page will describe the way fixes get included in RH/CentOS packages. Even if upstream says "fixed in version X", RH may (and usually does) decide to backport the fix to an older version.
These methods will work for all packages in RH/CentOS.
-
nupurpriya
- Posts: 86
- Joined: 2016/10/14 12:07:18
Re: Fix for CVE-2017-6464, CVE-2017-6463, CVE-2017-6462
Yes, I have a customized automated tool which checks for new CVEs logged in the CVE database on a daily basis, and checks if that CVE fix is installed on the system or not. It creates a list of CVEs and asks for its fix as a security update. As I use CentOS and don't have RHEL subscription, so I do not find a way of contacting them if something is pending for a long time, as in the case of ntp.
Re: Fix for CVE-2017-6464, CVE-2017-6463, CVE-2017-6462
CentOS has exactly the same level of access into RH as you do. You need to read the links that avij posted to the Redhat CVE database so you can query that.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Fix for CVE-2017-6464, CVE-2017-6463, CVE-2017-6462
Hello,
Does it means that RHEL Kernel security xxx.rpm can be used/apply on CentOS ?
BR
Does it means that RHEL Kernel security xxx.rpm can be used/apply on CentOS ?
BR