On 05/11/2016 09:45 AM, Steve Snyder wrote:> > On Wednesday, May 11, 2016 11:20am, "Patrick Rael" <prael at lumeta.com> said: > >> Hi, >> Is there an ETA on the openssl security update (CVE-2016-0799) for >> CentOS 6.7? I saw the openssl update for CentOS 7 on 5/9, eagerly >> awaiting >> the same for 6.7. >> >> Thanks! > Looks like Red Hat pushed it to RHEL v6.8, released yesterday. Unless CentOS does a special back-port we'll have to wait for CentOS v6.8 to get the OpenSSL update.Is there an ETA on CentOS v6.8? Days? Weeks? Months? (years?) I just need to predict when CVE-2016-0799 will be fixed for CentOS 6.7. I thought security updates would be available on 6.7 for many more years. Best regards! -- Patrick Rael Contractor, Lumeta Corporation Network Situational Awareness Phone: 703-298-3276
m.roth at 5-cent.us
2016-May-11 17:24 UTC
[CentOS] openssl Security Update for CentOS 6.7 ETA
Patrick Rael wrote:> On 05/11/2016 09:45 AM, Steve Snyder wrote: >> >> On Wednesday, May 11, 2016 11:20am, "Patrick Rael" <prael at lumeta.com> >> said: >> >>> Hi, >>> Is there an ETA on the openssl security update (CVE-2016-0799) for >>> CentOS 6.7? I saw the openssl update for CentOS 7 on 5/9, eagerly >>> awaiting the same for 6.7. >>> >> Looks like Red Hat pushed it to RHEL v6.8, released yesterday. Unless >> CentOS does a special back-port we'll have to wait for CentOS v6.8 to >> get the OpenSSL update.> Is there an ETA on CentOS v6.8? Days? Weeks? Months? (years?) > I just need to predict when CVE-2016-0799 will be fixed for CentOS 6.7. > I thought security updates would be available on 6.7 for many more years. >Please - it was *just* released, and the build team is presumably already on it. Hopefully, upstream hasn't screwed with their build environment again. At any rate, when upstream did, it took our build team about a month to get builds working again; if they haven't, then I'd hope for a few weeks. PLEASEPLEASEPLEASEPLEASE people, *don't* turn this into a 5k posts a day arguing over whether the build team is lazy, or 75% of them "ANYTHING NEW?! HOW SOON?!!!!!!!!! Give them some bloody time, children. It's a job of work, as the old saying goes. mark
> Date: Wednesday, May 11, 2016 13:24:43 -0400 > From: m.roth at 5-cent.us > > Patrick Rael wrote: >> On 05/11/2016 09:45 AM, Steve Snyder wrote: >>> >>> On Wednesday, May 11, 2016 11:20am, "Patrick Rael" >>> <prael at lumeta.com> said: >>> >>>> Hi, >>>> Is there an ETA on the openssl security update (CVE-2016-0799) >>>> for CentOS 6.7? I saw the openssl update for CentOS 7 on >>>> 5/9, eagerly awaiting the same for 6.7. >>>> >>> Looks like Red Hat pushed it to RHEL v6.8, released yesterday. >>> Unless CentOS does a special back-port we'll have to wait for >>> CentOS v6.8 to get the OpenSSL update. > >> Is there an ETA on CentOS v6.8? Days? Weeks? Months? (years?) >> I just need to predict when CVE-2016-0799 will be fixed for CentOS >> 6.7. I thought security updates would be available on 6.7 for many >> more years. >> > Please - it was *just* released, and the build team is presumably > already on it. Hopefully, upstream hasn't screwed with their build > environment again. > > At any rate, when upstream did, it took our build team about a > month to get builds working again; if they haven't, then I'd hope > for a few weeks. > > PLEASEPLEASEPLEASEPLEASE people, *don't* turn this into a 5k posts > a day arguing over whether the build team is lazy, or 75% of them > "ANYTHING NEW?! HOW SOON?!!!!!!!!! > > Give them some bloody time, children. It's a job of work, as the old > saying goes. >Security updates will be available for rhel/centos 6 for many years (november 2020 I believe). 6.7 is simply a point-in-time snapshot which is not explicitly supported once the next point release has come out. > I thought security updates would be available > on 6.7 for many more years. When there are cusp security issues like this the security update sometimes comes out ahead of the rest of the new point release via the fasttrack or CR repositories.
On 05/11/2016 11:24 AM, m.roth at 5-cent.us wrote:> Patrick Rael wrote: >> On 05/11/2016 09:45 AM, Steve Snyder wrote: >>> On Wednesday, May 11, 2016 11:20am, "Patrick Rael" <prael at lumeta.com> >>> said: >>> >>>> Hi, >>>> Is there an ETA on the openssl security update (CVE-2016-0799) for >>>> CentOS 6.7? I saw the openssl update for CentOS 7 on 5/9, eagerly >>>> awaiting the same for 6.7. >>>> >>> Looks like Red Hat pushed it to RHEL v6.8, released yesterday. Unless >>> CentOS does a special back-port we'll have to wait for CentOS v6.8 to >>> get the OpenSSL update. >> Is there an ETA on CentOS v6.8? Days? Weeks? Months? (years?) >> I just need to predict when CVE-2016-0799 will be fixed for CentOS 6.7. >> I thought security updates would be available on 6.7 for many more years. >> > Please - it was *just* released, and the build team is presumably already > on it. Hopefully, upstream hasn't screwed with their build environment > again. > > At any rate, when upstream did, it took our build team about a month to > get builds working again; if they haven't, then I'd hope for a few weeks. > > PLEASEPLEASEPLEASEPLEASE people, *don't* turn this into a 5k posts a day > arguing over whether the build team is lazy, or 75% of them "ANYTHING > NEW?! HOW SOON?!!!!!!!!! > > Give them some bloody time, children. It's a job of work, as the old > saying goes. > > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosThanks! You developers do a mountain of work, it's really appreciated greatly! -->Pat ---------- -- Patrick Rael Contractor, Lumeta Corporation Network Situational Awareness Phone: 703-298-3276
On 05/11/2016 11:44 AM, Patrick Rael wrote:> On 05/11/2016 09:45 AM, Steve Snyder wrote: >> >> On Wednesday, May 11, 2016 11:20am, "Patrick Rael" <prael at lumeta.com> >> said: >> >>> Hi, >>> Is there an ETA on the openssl security update >>> (CVE-2016-0799) for >>> CentOS 6.7? I saw the openssl update for CentOS 7 on 5/9, eagerly >>> awaiting >>> the same for 6.7. >>> >>> Thanks! >> Looks like Red Hat pushed it to RHEL v6.8, released yesterday. Unless >> CentOS does a special back-port we'll have to wait for CentOS v6.8 to >> get the OpenSSL update. > Is there an ETA on CentOS v6.8? Days? Weeks? Months? (years?) > I just need to predict when CVE-2016-0799 will be fixed for CentOS 6.7. > I thought security updates would be available on 6.7 for many more years. >Because Red Hat built that against 6.8 and not 6.7, I have to do the same. I expect that the CR rpms for os/ and that openssl update will be released in the next 2-3 days. Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160511/52a6d574/attachment-0001.sig>
m.roth at 5-cent.us
2016-May-11 19:49 UTC
[CentOS] openssl Security Update for CentOS 6.7 ETA
Johnny Hughes wrote:> On 05/11/2016 11:44 AM, Patrick Rael wrote: >> On 05/11/2016 09:45 AM, Steve Snyder wrote: >>> On Wednesday, May 11, 2016 11:20am, "Patrick Rael" <prael at lumeta.com> >>> said: >>>> Is there an ETA on the openssl security update >>>> (CVE-2016-0799) for >>>> CentOS 6.7? I saw the openssl update for CentOS 7 on 5/9, eagerly >>>> awaiting the same for 6.7. >>>> >>>> Thanks! >>> Looks like Red Hat pushed it to RHEL v6.8, released yesterday. Unless >>> CentOS does a special back-port we'll have to wait for CentOS v6.8 to >>> get the OpenSSL update. >> Is there an ETA on CentOS v6.8? Days? Weeks? Months? (years?) >> I just need to predict when CVE-2016-0799 will be fixed for CentOS 6.7. >> I thought security updates would be available on 6.7 for many more >> years. > > Because Red Hat built that against 6.8 and not 6.7, I have to do the same. > > I expect that the CR rpms for os/ and that openssl update will be > released in the next 2-3 days. > > Thanks,No, thank *you*, Johnny, for all the work you do... and, as I've offered before, if we're ever in the same metro area, I'd be happy to buy you a drink for it all. mark