Security team telling me patched/updated 6.9 has severe and critical issues?
Security team telling me patched/updated 6.9 has severe and critical issues?
13 Critical and over 75 Severe. When I run yum update or yum -y update kernel, I get no Packages marked for Update.
What am I missing? I'm at 6.9
# cat /etc/centos-release
CentOS release 6.9 (Final)
Here are the criticals:
Cent OS: CVE-2017-7895: CESA-2017:1723 (kernel)
Cent OS: CVE-2016-9555: CESA-2017:0307 (kernel)
Cent OS: CVE-2016-7117: CESA-2017:0036 (kernel)
Cent OS: CVE-2014-8171: CESA-2015:0864 (kernel)
Cent OS: CVE-2015-1421: CESA-2015:0864 (kernel)
Cent OS: CVE-2014-2523: CESA-2014:0475 (kernel)
Cent OS: CVE-2016-7910: CESA-2017:1308 (kernel)
Cent OS: CVE-2015-3331: CESA-2015:1081 (kernel)
Cent OS: CVE-2015-5364: CESA-2016:0045 (kernel)
Cent OS: CVE-2014-3673: CESA-2014:1997 (kernel)
Cent OS: CVE-2014-3687: CESA-2014:1997 (kernel)
Cent OS: CVE-2014-3535: CESA-2014:1167 (kernel)
Cent OS: CVE-2013-2017: CESA-2013:0911 (kernel)
What am I missing? I'm at 6.9
# cat /etc/centos-release
CentOS release 6.9 (Final)
Here are the criticals:
Cent OS: CVE-2017-7895: CESA-2017:1723 (kernel)
Cent OS: CVE-2016-9555: CESA-2017:0307 (kernel)
Cent OS: CVE-2016-7117: CESA-2017:0036 (kernel)
Cent OS: CVE-2014-8171: CESA-2015:0864 (kernel)
Cent OS: CVE-2015-1421: CESA-2015:0864 (kernel)
Cent OS: CVE-2014-2523: CESA-2014:0475 (kernel)
Cent OS: CVE-2016-7910: CESA-2017:1308 (kernel)
Cent OS: CVE-2015-3331: CESA-2015:1081 (kernel)
Cent OS: CVE-2015-5364: CESA-2016:0045 (kernel)
Cent OS: CVE-2014-3673: CESA-2014:1997 (kernel)
Cent OS: CVE-2014-3687: CESA-2014:1997 (kernel)
Cent OS: CVE-2014-3535: CESA-2014:1167 (kernel)
Cent OS: CVE-2013-2017: CESA-2013:0911 (kernel)
Re: Security team telling me patched/updated 6.9 has severe and critical issues?
Latest CentOS 6 kernel is kernel-2.6.32-696.10.1.el6.x86_64 and rpm -q --changelog kernel-2.6.32-696.10.1.el6.x86_64 shows the following:
Cent OS: CVE-2017-7895: CESA-2017:1723 (kernel) - fixed in 2.6.32-696.6.1.el6
Cent OS: CVE-2016-9555: CESA-2017:0307 (kernel) - 2.6.32-678.el6
Cent OS: CVE-2016-7117: CESA-2017:0036 (kernel) - 2.6.32-672.el6
Cent OS: CVE-2014-8171: CESA-2015:0864 (kernel) - not in kernel rpm changelog
Cent OS: CVE-2015-1421: CESA-2015:0864 (kernel) - ditto
Cent OS: CVE-2014-2523: CESA-2014:0475 (kernel) - 2.6.32-452.el6
Cent OS: CVE-2016-7910: CESA-2017:1308 (kernel) - 2.6.32-696.1.1.el6
Cent OS: CVE-2015-3331: CESA-2015:1081 (kernel) - 2.6.32-556.el6
Cent OS: CVE-2015-5364: CESA-2016:0045 (kernel) - 2.6.32-575.el6
Cent OS: CVE-2014-3673: CESA-2014:1997 (kernel) - 2.6.32-509.el6
Cent OS: CVE-2014-3687: CESA-2014:1997 (kernel) - 2.6.32-509.el6
Cent OS: CVE-2014-3535: CESA-2014:1167 (kernel) - not listed
Cent OS: CVE-2013-2017: CESA-2013:0911 (kernel) - 2.6.32-376.el6
Of the ones not listed in the changelog, kernel-2.6.32-504.16.2.el6 has the fix for CVE-2014-8171 and CVE-2015-1421. kernel-2.6.32-431.29.2.el6 fixes CVE-2014-3535.
What is the output of uname -r ? If you are running 2.6.32-696.10.1.el6 (or higher for those reading in the future!) then all those are fixed.
Please note that yum-plugin-security does not function on CentOS as the yum repos do not contain the necessary metadata to allow it to know what CVE's are fixed when.
Check https://access.redhat.com/security/cve/CVE-yyyy-nnnn for the official status on any CVE not listed in the rpm -q --changelog output. Sometimes things are not listed as fixed as the relevant option is not turned on in the RH kernel (or it's otherwise not vulnerable).
Cent OS: CVE-2017-7895: CESA-2017:1723 (kernel) - fixed in 2.6.32-696.6.1.el6
Cent OS: CVE-2016-9555: CESA-2017:0307 (kernel) - 2.6.32-678.el6
Cent OS: CVE-2016-7117: CESA-2017:0036 (kernel) - 2.6.32-672.el6
Cent OS: CVE-2014-8171: CESA-2015:0864 (kernel) - not in kernel rpm changelog
Cent OS: CVE-2015-1421: CESA-2015:0864 (kernel) - ditto
Cent OS: CVE-2014-2523: CESA-2014:0475 (kernel) - 2.6.32-452.el6
Cent OS: CVE-2016-7910: CESA-2017:1308 (kernel) - 2.6.32-696.1.1.el6
Cent OS: CVE-2015-3331: CESA-2015:1081 (kernel) - 2.6.32-556.el6
Cent OS: CVE-2015-5364: CESA-2016:0045 (kernel) - 2.6.32-575.el6
Cent OS: CVE-2014-3673: CESA-2014:1997 (kernel) - 2.6.32-509.el6
Cent OS: CVE-2014-3687: CESA-2014:1997 (kernel) - 2.6.32-509.el6
Cent OS: CVE-2014-3535: CESA-2014:1167 (kernel) - not listed
Cent OS: CVE-2013-2017: CESA-2013:0911 (kernel) - 2.6.32-376.el6
Of the ones not listed in the changelog, kernel-2.6.32-504.16.2.el6 has the fix for CVE-2014-8171 and CVE-2015-1421. kernel-2.6.32-431.29.2.el6 fixes CVE-2014-3535.
What is the output of uname -r ? If you are running 2.6.32-696.10.1.el6 (or higher for those reading in the future!) then all those are fixed.
Please note that yum-plugin-security does not function on CentOS as the yum repos do not contain the necessary metadata to allow it to know what CVE's are fixed when.
Check https://access.redhat.com/security/cve/CVE-yyyy-nnnn for the official status on any CVE not listed in the rpm -q --changelog output. Sometimes things are not listed as fixed as the relevant option is not turned on in the RH kernel (or it's otherwise not vulnerable).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Security team telling me patched/updated 6.9 has severe and critical issues?
uname -r
2.6.32-358.el6.x86_64 , so there's my problem - I'm not at the latest despite running yum update and yum -y update kernel .
I guess I need to manually install kernel-2.6.32-696.10.1.el6.x86_64 since yum repositories aren't doing it.
I read your other posts that said it's yum update or nothing (no cherry picking security updates), but thought they'd get me the latest kernel.
Thanks for your time and insight!
2.6.32-358.el6.x86_64 , so there's my problem - I'm not at the latest despite running yum update and yum -y update kernel .
I guess I need to manually install kernel-2.6.32-696.10.1.el6.x86_64 since yum repositories aren't doing it.
I read your other posts that said it's yum update or nothing (no cherry picking security updates), but thought they'd get me the latest kernel.
Thanks for your time and insight!
Re: Security team telling me patched/updated 6.9 has severe and critical issues?
Digging a bit, I found a easy solution:
vi /etc/yum.repos.d/CentOS-Base.repo and changed the "enabled=" lines from 0 to to 1 and reran yum update.
Doing that I got these available updates and applied them:
kernel-firmware.noarch 0:2.6.32-696.10.2.el6.centos.plus
kernel-headers.x86_64 0:2.6.32-696.10.2.el6.centos.plus
perf.x86_64 0:2.6.32-696.10.2.el6.centos.plus
postfix.x86_64 2:2.6.6-8.el6.centos.plus
Probably a no duh for most, but thought I'd share my fix in case others run into the same.
vi /etc/yum.repos.d/CentOS-Base.repo and changed the "enabled=" lines from 0 to to 1 and reran yum update.
Doing that I got these available updates and applied them:
kernel-firmware.noarch 0:2.6.32-696.10.2.el6.centos.plus
kernel-headers.x86_64 0:2.6.32-696.10.2.el6.centos.plus
perf.x86_64 0:2.6.32-696.10.2.el6.centos.plus
postfix.x86_64 2:2.6.6-8.el6.centos.plus
Probably a no duh for most, but thought I'd share my fix in case others run into the same.
Re: Security team telling me patched/updated 6.9 has severe and critical issues?
You enabled the centosplus repo by accident and now you have the CentOS Plus kernel.
Go back a step. Post the output of [rpm -q kernel and ls -la /etc/grub.conf and the contents of /boot/grub/grub.conf
Go back a step. Post the output of [rpm -q kernel and ls -la /etc/grub.conf and the contents of /boot/grub/grub.conf
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Security team telling me patched/updated 6.9 has severe and critical issues?
Yep, that's what it says....stopped reading what the update was when I ran yum update when I say the numbers were right and missed the plus.
rpm -q kernel
kernel-2.6.32-358.el6.x86_64
kernel-2.6.32-696.10.1.el6.x86_64
kernel-2.6.32-696.10.2.el6.x86_64
kernel-2.6.32-696.10.2.el6.centos.plus.x86_64
lrwxrwxrwx. 1 root root 22 Aug 24 14:45 /etc/grub.conf -> ../boot/grub/grub.conf
cat /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/mapper/vg_iwperf1-lv_root
# initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-696.10.2.el6.centos.plus.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.10.2.el6.centos.plus.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg_iwperf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkerne l=auto rd_LVM_LV=vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.10.2.el6.centos.plus.x86_64.img
title CentOS (2.6.32-696.10.2.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.10.2.el6.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg _iwperf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LV M_LV=vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.10.2.el6.x86_64.img
title CentOS (2.6.32-696.10.1.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.10.1.el6.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg _iwperf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LV M_LV=vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.10.1.el6.x86_64.img
title CentOS (2.6.32-358.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg_iwpe rf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV= vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.x86_64.img
rpm -q kernel
kernel-2.6.32-358.el6.x86_64
kernel-2.6.32-696.10.1.el6.x86_64
kernel-2.6.32-696.10.2.el6.x86_64
kernel-2.6.32-696.10.2.el6.centos.plus.x86_64
lrwxrwxrwx. 1 root root 22 Aug 24 14:45 /etc/grub.conf -> ../boot/grub/grub.conf
cat /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/mapper/vg_iwperf1-lv_root
# initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-696.10.2.el6.centos.plus.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.10.2.el6.centos.plus.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg_iwperf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkerne l=auto rd_LVM_LV=vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.10.2.el6.centos.plus.x86_64.img
title CentOS (2.6.32-696.10.2.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.10.2.el6.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg _iwperf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LV M_LV=vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.10.2.el6.x86_64.img
title CentOS (2.6.32-696.10.1.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.10.1.el6.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg _iwperf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LV M_LV=vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.10.1.el6.x86_64.img
title CentOS (2.6.32-358.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg_iwpe rf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV= vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.x86_64.img
Re: Security team telling me patched/updated 6.9 has severe and critical issues?
Unless you need to run the centosplus kernel tehn I would either yum remove that or use yum history undo to remove it.
Edit /boot/grub/grub.conf and make sure that default= still points to the first kernel listed then reboot. If it still comes up on the old kernel then - are you running software RAID at all?
Edit /boot/grub/grub.conf and make sure that default= still points to the first kernel listed then reboot. If it still comes up on the old kernel then - are you running software RAID at all?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Security team telling me patched/updated 6.9 has severe and critical issues?
I did yum history undo x on the first server and yum remove kernel-2.6.32-696.10.2.el6.centos.plus.x86_64 on the 2nd and both are now showing
uname -r
2.6.32-696.10.2.el6.x86_64
and I fixed it in the repo file so it doesn't happen again. Learned something new, so was worthwhile.
But I still don't understand this..... I was at kernel-2.6.32-358.el6.x86_64 that appears to have lots of vulnerabilities AND there appears to have been MULTIPLE newer kernels that have fixed said vulnerabilities, but yum update wasn't presenting them? Are those other kernels not considered ready for prime time yet?
uname -r
2.6.32-696.10.2.el6.x86_64
and I fixed it in the repo file so it doesn't happen again. Learned something new, so was worthwhile.
But I still don't understand this..... I was at kernel-2.6.32-358.el6.x86_64 that appears to have lots of vulnerabilities AND there appears to have been MULTIPLE newer kernels that have fixed said vulnerabilities, but yum update wasn't presenting them? Are those other kernels not considered ready for prime time yet?
Re: Security team telling me patched/updated 6.9 has severe and critical issues?
If you don't have base AND updates enabled then you don't get any updates. If you only have base enabled then you'll only get updates when a new point release comes out (the only time that the contents of base change).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Security team telling me patched/updated 6.9 has severe and critical issues?
Thanks again for your insight.
I didn't realize that the default was just base updates. Very good to know.
I didn't realize that the default was just base updates. Very good to know.