Subject: | |
From: | |
Reply To: | |
Date: | Sat, 26 Apr 2014 00:32:25 +0200 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 2014-04-25 23:27, Pat Riehecky wrote:
> On 04/25/2014 10:27 AM, olli hauer wrote:
>> On 2014-04-25 15:25, Pat Riehecky wrote:
>>> On 04/24/2014 04:21 PM, Orion Poplawski wrote:
>>>> On 10/17/2013 02:27 PM, Connie Sieh wrote:
>>>>> ---------- Forwarded message ----------
>>>>> Date: Thu, 17 Oct 2013 15:25:39 -0500
>>>>> From: Connie Sieh <[log in to unmask]>
>>>>> To: [log in to unmask]
>>>>> Subject: Software Collections 1.0 is available for SL 6
>>>>>
>>>>> The following TUV "software collection" products are now available for SL 6.
>>>>>
>>>>> A README with info about yum repos for these packages is available from
>>>>> ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti
>>>>> ons/README
>>>> Any chance of yum-conf-softwarecollections ending up in the main SL repos?
>>>>
>>>>
>>> That's an interesting idea. Lets take it to the devel list and see what people think.
>> @me not subscribed to the devel@ list so giving my rant here.
>>
>> The versions provided in softwarecollections have almost already known vulnerabilities.
>>
>> Picking only the latest CVE entires retrieved after softwarecollections publish date.
>>
>> php-5.4: CVE-2013-6420
>> postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067
>> python27 / python33: CVE-2014-1912
>> ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 CVE-2013-6417
>>
>> Until the collection gets more notice from upstream I don't think it is a good idea to provide yum-conf-softwarecollection.
>>
>
> Yikes!
>
> Any one report these CVEs to upstream to make sure they didn't get misplaced?
>
> Pat
>
Hi Pat,
perhaps I was to fast with my rant ...
Anyway comparing upstream checksums with the SC collection will not work and for external products I cannot find repoview files
Since I have the next days no SC console available I can only check if there are already existing upstream erratas.
For example:
php-5.4:
https://access.redhat.com/security/cve/CVE-2013-6420
https://rhn.redhat.com/errata/RHSA-2013-1815.html
CVE: CVE-2013-6420
RHSA: RHSA-2013:1815-1
Issued on: 2013-12-11
Updated packages:
php54-php-5.4.16-7.el6.1.x86_64.rpm -> rpm version match the on on SC so rpm should be fine.
So I will ask if it is possible to generate errata files for the packages in 6x/softwarecollection that can be used later for example in spacewalk?
--
Sorry for the noise, I will next time do a better research.
olli
|
|
|