CentOS

[lightdot]

I don't see any special warnings on the CentOS web page or in the forum so I thought I'd post this here for the sake of the less experienced users.

I hope everybody is aware that CentOS 6.0 is not receiving any security updates. The situation is ongoing ever since RHEL 6.1 came out, May 19, 2011.

This ie. leaves all C6 workstations which use stock Firefox 3.6.x open to several remote vulnerabilities, leading to Firefox crash or arbitrary code execution. Upstream security advisory here, published 2011-06-21 and here, published 2011-08-16.

And as of yestarday, all C6 servers running Apache aren't getting a crucial security fix. Latest Apache available in C6 is vulnerable to a DOS attack, an attack tool is circulating in the wild. Upstream security advisory here, published 2011-08-31.

Just a head's up to everybody.

In my opinion, CentOS 6.0 without custom updates should not be used in any kind of live environment at the moment. Act now if you haven't already.

[AlanBartlett]

I hope everybody is aware that CentOS 6.0 is not receiving any security updates. The situation is ongoing ever since RHEL 6.1 came out, May 19, 2011.

I shall politely ask you to refrain from spreading such FUD.

There is the continuous release [cr] repository which provides all security updates, bug fixes and patches prior to the official release of CentOS 5.7.

Please now go and make a study of the CentOS mail archives.

[TrevorH]

There is the continuous release [cr] repository which provides all security updates, bug fixes and patches prior to the official release of CentOS 5.7.

Is there an equivalent for CentOS 6.0?

[toracat]

TrevorH wrote:

Is there an equivalent for CentOS 6.0?

Not yet. The last time the 6.0/cr was mentioned was in this post by Karanbir Singh on the centos-devel mailing list. Now it is not clear which comes first, the 6.0/cr or the 6.1 release.

[lightdot]

I shall politely ask you to refrain from spreading such FUD. There is the continuous release [cr] repository which provides all security updates, bug fixes and patches prior to the official release of CentOS 5.7. Please now go and make a study of the CentOS mail archives.

My best guess is that you have misread or misplaced my post, otherwise I can't imagine why would you be mentioning CentOS 5.7 when I'm clearly talking specifically about CentOS 6 and posting in the CentOS 6 section of the forum. I chuckled a bit when you sent me to make a study of CentOS mail archives (which I assure you, is equally misguided as the rest of your post), but I guess that's understandable if you thought that I'm needlessly flaming CentOS. Hell, I'd be less polite that you were, so that's ok. But I do believe that you're wrong and politely ask you to retract your statement that I'm spreading FUD. All the statements in my opening post are correct and easily verified by any interested party.

I'm not here to pick a bone or to start a mile long worthless thread about the current state of CentOS in general. I know that the developers are working hard and god knows I understand how time flies by.

But that doesn't change the reality of things. I'm concerned that not enough users will read this forum. I wish there would be a general warning in a prominent place, like on the first page of centos.org or within C6 release notes. Nothing earth breaking, just a simple note that currently no updates are issued for C6 and perhaps some of the most crucial vulnerabilities stated. That would be the responsible thing to do, wouldn't it?

[toracat]

I believe you are correct, lightdot, in what you are saying. Alan must have misread your post. Humans make mistakes (who's song was this? Billy Joel?) And yes, CentOS has problems.

Speaking of the cr repo for 6.0, Karanbir Singh posted this a short while ago[1] :

Hi Guys,

On 09/03/2011 01:15 PM, Dennis Jacobfeuerborn wrote:
> That is unfortunate because at the moment I have to use a Scientific Linux
> kernel package on my new machines because of a bug in the 6.0 kernels.

Sorry about that. I'm working with the 6.0/cr stuff this weekend ( in
short sprints, but plenty of them ). I will start uploading the rpms
into the mirror.c.o network by Sunday night.

I highly recommend signup for the centos-cr-announce list to keep track
of whats available in the cr/ repos.

- KB

We will see how that goes...

(1) http://lists.centos.org/pipermail/cento ... 17161.html

[vonskippy]

Just to clarify, that means that until further notice,

#yum update

Will always return with no packages to update?

If so, is that until v6.1 is released, or will security patches start to trickle in?

[h_fat]

In my opinion, CentOS 6.0 without custom updates should not be used in any kind of live environment at the moment.

Let's not go overboard.

There are cases where having vulnerable services or applications is not a major issue (because services such as Apache are only made available to more or less trusted parties for instance) and there are boxes which do not even have anything as easily exploited as Firefox installed.

Keep in mind the boxes which have received the upstream updates in a timely fashion were vulnerable to these issues before the updates were released and that they're vulnerable to other issues right now. You can't rely on software like Firefox to be imprevious to exploitation unless you disable lots of features.

[WhatsHisName]

vonskippy wrote:

Just to clarify, that means that until further notice, #yum update

Will always return with no packages to update?

Correct, or at least until 6.1 is released.

As per post 2 and post 4, once the Continuous Release (CR) repo is established for CentOS6 and you enable the repo (i.e., install the release package), the advance 6.1 updates will become available as they are built.

After the CR repo is enabled, you will also receive advance updates for future point updates (i.e., 6.2, 6.3, ...). So for both CentOS 5 and 6, you will need to take a one-time action to enable the CR repo.

The availability of the CentOS 6 CR repo will be announce much like the one for CentOS 5 was.

[pza81]

h_fat wrote:

In my opinion, CentOS 6.0 without custom updates should not be used in any kind of live environment at the moment.

I couldn't agree more. A number of the vulnerabilities (both server and desktop based) have easy to find exploits available on the web.

This very serious problem isn't mentioned anywhere on the web site. In fact, the front page states opposite:
"Since upstream has a 6.1 version already released, we will be using a Continous Release repository for 6.0 to bring all 6.1 and post 6.1 security updates to all 6.0 users, till such time as CentOS-6.1 is released itself."
"CentOS has numerous advantages over some of the other clone projects including: ... quickly rebuilt, tested, and QA'ed errata packages"

For a distro which prides Enterprise in it's title, this is extremely irresponsible. I still don't understand why the CentOS devs don't seriously accept offers of assistance, or behave in a more transparent manner. It seems like they are more interested in an ego trip than a reputable, secure product.