RHSA applicability to CentOS

Support for security such as Firewalls and securing linux
Post Reply
mydimension
Posts: 1
Joined: 2017/04/05 18:27:44

RHSA applicability to CentOS

Post by mydimension » 2017/04/06 15:07:52

Can RHSA package/version information be applied to CentOS?

For example: if an RHSA says it fixes CVE-2016-4998 with the package kernel-2.6.32-642.13.1.el6.i686.rpm, would a CentOS package of the same name also carry the fix for the same CVE within CentOS?

I think I’ve proven to myself that in this specific example that it does. However, I’m not confident that this is true across all CentOS packages that are also seen in RHEL.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: RHSA applicability to CentOS

Post by TrevorH » 2017/04/06 15:11:26

Yes. The fixes that come out from RH are all rebuilt as-is by CentOS so any fix included in the RH package is then in the CentOS one. However... the CentOS project does not explicitly test if what RH says is fixed really is fixed.

You can read the rpm changelog to check. CVE numbers should always be in there - e.g. rpm -q --changelog kernel-2.6.32-642.13.1.el6 | grep CVE-2016-4998

Even the CESA errata numbers are the same - s/RHSA-yyyy-nnnn/CESA-yyyy-nnnn/
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply