LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Software Collections 1.0 is available for SL 6 (fwd)
From:	olli hauer <[log in to unmask]>
Reply To:	olli hauer <[log in to unmask]>
Date:	Sat, 26 Apr 2014 00:32:25 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (69 lines)

On 2014-04-25 23:27, Pat Riehecky wrote:
> On 04/25/2014 10:27 AM, olli hauer wrote:
>> On 2014-04-25 15:25, Pat Riehecky wrote:
>>> On 04/24/2014 04:21 PM, Orion Poplawski wrote:
>>>> On 10/17/2013 02:27 PM, Connie Sieh wrote:
>>>>> ---------- Forwarded message ----------
>>>>> Date: Thu, 17 Oct 2013 15:25:39 -0500
>>>>> From: Connie Sieh <[log in to unmask]>
>>>>> To: [log in to unmask]
>>>>> Subject: Software Collections 1.0 is available  for SL 6
>>>>>
>>>>> The following TUV "software collection" products are now available for SL 6.
>>>>>
>>>>> A README with info about yum repos for these packages is available from
>>>>> ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti
>>>>> ons/README
>>>> Any chance of yum-conf-softwarecollections ending up in the main SL repos?
>>>>
>>>>
>>> That's an interesting idea.  Lets take it to the devel list and see what people think.
>> @me not subscribed to the devel@ list so giving my rant here.
>>
>> The versions provided in softwarecollections have almost already known vulnerabilities.
>>
>> Picking only the latest CVE entires retrieved after softwarecollections publish date.
>>
>> php-5.4: CVE-2013-6420
>> postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067
>> python27 / python33: CVE-2014-1912
>> ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 CVE-2013-6417
>>
>> Until the collection gets more notice from upstream I don't think it is a good idea to provide yum-conf-softwarecollection.
>>
> 
> Yikes!
> 
> Any one report these CVEs to upstream to make sure they didn't get misplaced?
> 
> Pat
> 

Hi Pat,

perhaps I was to fast with my rant ...

Anyway comparing upstream checksums with the SC collection will not work and for external products I cannot find repoview files

Since I have the next days no SC console available I can only check if there are already existing upstream erratas.

For example:

php-5.4:
 https://access.redhat.com/security/cve/CVE-2013-6420
 https://rhn.redhat.com/errata/RHSA-2013-1815.html

 CVE:  CVE-2013-6420
 RHSA: RHSA-2013:1815-1
 Issued on: 2013-12-11

Updated packages:
php54-php-5.4.16-7.el6.1.x86_64.rpm -> rpm version match the on on SC so rpm should be fine.

So I will ask if it is possible to generate errata files for the packages in 6x/softwarecollection that can be used later for example in spacewalk?

-- 
Sorry for the noise, I will next time do a better research.

olli

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV