CentOS - Aug 2017 - A potentially newbie question about vulnerability patching speed in CentOS 7.x's yum repository

I've been dubbing with management of security vulnerabilities and their
fixes for a while, recently I discovered there may be a delay in the process of
software updates made available on CentOS yum repository.


take CVE-2017-5335 for example:
In redhat official notice board
:https://access.redhat.com/security/cve/cve-2017-5335  we can see there is a
link point to advisory for RHEL 7:
https://access.redhat.com/errata/RHSA-2017:2292 . from there we can see that the
fix happens at gnutls 3.3.26.
But when trying to update with yum update from a CentOS 7.3 x64 machine. there
is no 3.3.26 available. Only available rpm for CentOS 7.3.1611 for x86_64 is
gnutls-3.3.24.
This result can be verified using rpm finder:
https://www.rpmfind.net/linux/rpm2html/search.php?query=gnutls




Same problem happens to other software packages such as:
glibc
tcpdump
libnl
mariadb
...
(and many others)


Why is that? and are those software packages not going to get fixed?


- p.s. please excuse me for any formating issues.  :) 


Jeff

On 30/08/17 11:09, ?????? wrote:
> I've been dubbing with management of security vulnerabilities and their
fixes for a while, recently I discovered there may be a delay in the process of
software updates made available on CentOS yum repository.
> 
> 
> take CVE-2017-5335 for example:
> In redhat official notice board
:https://access.redhat.com/security/cve/cve-2017-5335  we can see there is a
link point to advisory for RHEL 7:
https://access.redhat.com/errata/RHSA-2017:2292 . from there we can see that the
fix happens at gnutls 3.3.26.
> But when trying to update with yum update from a CentOS 7.3 x64 machine.
there is no 3.3.26 available. Only available rpm for CentOS 7.3.1611 for x86_64
is gnutls-3.3.24.
> This result can be verified using rpm finder:
https://www.rpmfind.net/linux/rpm2html/search.php?query=gnutls
> 
> 
> 
> 
> Same problem happens to other software packages such as:
> glibc
> tcpdump
> libnl
> mariadb
> ...
> (and many others)
> 
> 
> Why is that? and are those software packages not going to get fixed?
> 
> 
> - p.s. please excuse me for any formating issues.  :) 
> 
> 
> Jeff
You're searching for packages that are already built but in an
"interim"
repository : RHEL 7.4 was released but CentOS 7.4.1708 isn't yet
available, while packages are built (almost all of them)

See
https://seven.centos.org/2017/08/cr-repository-for-centos-linux-7-1708-released/
and you'll have all the packages you're looking for


-- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20170830/90674238/attachment-0001.sig>

> 
> 
> Same problem happens to other software packages such as:
> glibc
> tcpdump
> libnl
> mariadb
> ...
> (and many others)
> 
> 
> Why is that? and are those software packages not going to get fixed?
> 
There have been various threads concerning this in the past month. You
can find them in the archives - a couple I found by a quick scan:

 https://lists.centos.org/pipermail/centos/2017-August/165910.html

 https://lists.centos.org/pipermail/centos/2017-August/165867.html

Basically the updates build against 7.4 and that was only released to
the CR repository a week ago. See

 https://lists.centos.org/pipermail/centos/2017-August/165930.html

and

 https://seven.centos.org/2017/08/cr-repository-for-centos-linux-7-1708-released/

It will all make it into the main repositories in due course.

Remember that CentOS is a community distro and as such resources are
limited so things don't happen immediately.  If the timing of the
release of updates is critical to you, then your best bet is to pay for
a RHEL subscription.

P.