I am working my way around a number of 5.x and 6.x systems to address CVE-2014-9322:

https://www.scientificlinux.org/sl-errata/slsa-20142008-1/

https://www.scientificlinux.org/sl-errata/slsa-20141997-1/

In doing this, I have become a little more familiar with the security plugin for yum.

On my systems, following a typical requirement for the installation of this plugin, I query the requirement for patches for the given CVE:

---
(eg)

> yum list updates --cve=CVE-2014-9322

Loaded plugins: refresh-packagekit, security
Limiting package lists to security relevant ones
5 package(s) needed for security, out of 164 available
Updated Packages
kernel.x86_64                                                  2.6.32-504.3.3.el6                                             sl-security
....
....
---

This is what I expect as my kernel is below the "fixed by" release listed against the given CVE for SL 6.x (-504).

However, when undertaking similar diagnostics on my 5.x systems I am being informed that there are no patches applicable for the given CVE

---
(eg)

> yum --cve CVE-2014-9322 info updates
Loaded plugins: kernel-module, security
Limiting package lists to security relevant ones
CVE "CVE-2014-9322" not found applicable for this system
No packages needed, for security, 323 available 
---

(eg)

> yum info-security SLSA-2014:2008-1

Argument "SLSA-2014:2008-1" not found applicable for this system

---

This isn't what I expect as my kernel version is below the "fixed by" release listed against the given CVE for SL 5.x (-400).

I'm concerned that I'm using yum incorrectly, and missing out on important security patches (in this instance for the given CVE).

However, it might be that the systems in question are actually patched / not vulnerable, but in a way which I don't understand (and, if possible, I'd like to!).

Any guidance or insight would be much appreciated.

Thanks in advance . . .