Link for CentOS/RHEL security modifications of packages?

Support for security such as Firewalls and securing linux
Post Reply
jvroig
Posts: 18
Joined: 2012/08/31 16:58:17

Link for CentOS/RHEL security modifications of packages?

Post by jvroig » 2017/07/16 10:58:05

Hey all,

I know RHEL (and therefore CentOS, which is what I actually use) does not update the major versions of packages as part of its "enterprise stability and reliability" mantra. But it does make exceptions for security issues by backporting things that normally would only be found in a different (higher) version of that specific package. [Say, there might be a critical bugfix in OpenSSL 1.0.2, but since RHEL/CentOS won't jump from 0.98 to 1.x/x. it just backports that into a newer, but still 0.98-labelled, package upgrade]

So, that's how I understand the case to be (please correct me if I'm wrong), and why Red Hat's official stance (AFAIK) when checking/scanning for possible vulnerabilities is: "Do an explicit feature test; don't just check package versions". Otherwise, because of the way they backport stuff, there will be lots of false positives if scanning software merely look at version labels.

Sometimes, though, I'm not the one controlling the security audit, and these other people may sometimes just blindly rely on software vulnerability scanners that just naively check version numbers (understandably so, in some cases; there just isn't enough manpower, and often times expertise, to actually keep writing functional tests for all sorts of vulnerabilities and security checks - hence buying those scanners and their licenses in the first place).

So my request here (from the forum) is: To clear out all these false positives, with documentary evidence, where can I find a list of all these backports being done by/applicable to RHEL/CentOS?

So basically, with such a list/site/resource, when confronted, our conversation can be resolved like this:
[IT guy relying on naive vuln scanners]: Hey, JV, your CentOS 7 server, even when fully updated, has this nasty Apache vulnerability "mega-vuln" because it's only Version X.Y. It should be version Z.1
[Me]: Oh, let me check [goes to resource site of all backports] Oh yeah, don't worry, that's been backported by Red Hat, that's why our Apache version is X.Y.e.2, which is the upgraded package containing that backport that fixes that vuln.
[IT guy relying on naive vuln scanners]: Oh, well, that's not in the scanner suite, but I guess that's ok... let's just print that page you have for the final report to mark this as false positive.

That's about it. Thanks!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Link for CentOS/RHEL security modifications of packages?

Post by TrevorH » 2017/07/16 11:13:42

rpm -q --changelog $package | grep CVE-2017-nnnnn is your first step. Next is the Redhat CVE database like https://access.redhat.com/security/cve/CVE-2017-7308 (amend for the CVE in question).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jvroig
Posts: 18
Joined: 2012/08/31 16:58:17

Re: Link for CentOS/RHEL security modifications of packages?

Post by jvroig » 2017/07/19 04:36:43

Aha, thanks Trevor!

Post Reply