SCIENTIFIC-LINUX-USERS Archives

January 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Using yum to apply security patches (CVE-2014-9322)
From:
Pat Riehecky <[log in to unmask]>
Reply To:
Pat Riehecky <[log in to unmask]>
Date:
Tue, 27 Jan 2015 09:11:10 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (72 lines) 
Hello,

I appreciate your interest in the yum-security plugin!

For SL 5, we do not currently build the relevant yum metadata for the 
yum-security plugin.

Pat

On 01/27/2015 09:03 AM, D Laff wrote:
> I am working my way around a number of 5.x and 6.x systems to address CVE-2014-9322:
>
> https://www.scientificlinux.org/sl-errata/slsa-20142008-1/
>
> https://www.scientificlinux.org/sl-errata/slsa-20141997-1/
>
> In doing this, I have become a little more familiar with the security plugin for yum.
>
> On my systems, following a typical requirement for the installation of this plugin, I query the requirement for patches for the given CVE:
>
> ---
> (eg)
>
>> yum list updates --cve=CVE-2014-9322
> Loaded plugins: refresh-packagekit, security
> Limiting package lists to security relevant ones
> 5 package(s) needed for security, out of 164 available
> Updated Packages
> kernel.x86_64                                                  2.6.32-504.3.3.el6                                             sl-security
> ....
> ....
> ---
>
> This is what I expect as my kernel is below the "fixed by" release listed against the given CVE for SL 6.x (-504).
>
> However, when undertaking similar diagnostics on my 5.x systems I am being informed that there are no patches applicable for the given CVE
>
> ---
> (eg)
>
>> yum --cve CVE-2014-9322 info updates
> Loaded plugins: kernel-module, security
> Limiting package lists to security relevant ones
> CVE "CVE-2014-9322" not found applicable for this system
> No packages needed, for security, 323 available
> ---
>
> (eg)
>
>> yum info-security SLSA-2014:2008-1
> Argument "SLSA-2014:2008-1" not found applicable for this system
>
> ---
>
> This isn't what I expect as my kernel version is below the "fixed by" release listed against the given CVE for SL 5.x (-400).
>
> I'm concerned that I'm using yum incorrectly, and missing out on important security patches (in this instance for the given CVE).
>
> However, it might be that the systems in question are actually patched / not vulnerable, but in a way which I don't understand (and, if possible, I'd like to!).
>
> Any guidance or insight would be much appreciated.
>
> Thanks in advance . . .

-- 
Pat Riehecky
Scientific Linux developer

Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org

ATOM RSS1 RSS2