Hi. I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind "bind-chroot-9.3.6-4.P1.el5_5.3" when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. Thanks Greg Machin Systems Administrator - Linux Infrastructure Group, Information Services -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110224/497e8bea/attachment.html>
On Wed, Feb 23, 2011 at 9:08 PM, Machin, Greg <Greg.Machin at openpolytechnic.ac.nz> wrote:> Hi. > > I have had an enquiry from the Network and Security guy. He wants to know > why CentOS 5.5 /RHEL 5 is using a very old version of bind > ?bind-chroot-9.3.6-4.P1.el5_5.3? when the latest release that has many > security fixes is on 9.7.3 . I understand that its to maintain a known > stable platform by in introducing new elements etc .. Is there an official > explanation / document that ?I can direct him to.The "bind97" packages is in RHEL 5.6. RedHat pubishes such major component upgrades as separate packages, so people using the older version get updates, but who want the major upgrades are free to install them and get separate support. Our faithful CentOS maintainers have not yet completed their publication of CentOS 5.6. I'm sure they'd appreciate your help doing so, although I've had some difficulty reverse engineering enough of their build structure to parallel their work.
On Thu, 2011-02-24 at 15:08 +1300, Machin, Greg wrote:> I have had an enquiry from the Network and Security guy. He wants to > know why CentOS 5.5 /RHEL 5 is using a very old version of bind > ?bind-chroot-9.3.6-4.P1.el5_5.3? when the latest release that has many > security fixes is on 9.7.3 . I understand that its to maintain a known > stable platform by in introducing new elements etc .. Is there an > official explanation / document that I can direct him to.It is my understanding the security issue neither affects the Red Hat version of Bind nor the Centos derivative for operating system releases 4 and 5. This subject was mentioned here with some passion in the last 48 hours but I don't keep copies. Please suggest to your "guy" he needs to do some Googling to find recent emails from this mailing list and other sources which may provide further information.
On 02/24/2011 01:08 PM, Machin, Greg wrote:> > Hi. > > I have had an enquiry from the Network and Security guy. He wants to > know why CentOS 5.5 /RHEL 5 is using a very old version of bind > "bind-chroot-9.3.6-4.P1.el5_5.3" when the latest release that has many > security fixes is on 9.7.3 . I understand that its to maintain a known > stable platform by in introducing new elements etc .. Is there an > official explanation / document that I can direct him to. >Hi Greg Probably an idea to point your N&S guys at the RH 'backporting' Page - https://access.redhat.com/security/updates/backporting/?sc_cid=3093 Basically, the version is kept the same to minimise impact on users, whilst bugfixes and security errata from future versions are 'backported' to the version that ships with the relevant RHEL version. Also worthwhile pointing them at the BIND CVE in the Redhat Bugzilla, which advises on the impact on the RHEL versions - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0414 Regards Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110224/f2583b37/attachment.html>
On Feb 23, 2011, at 9:08 PM, "Machin, Greg" <Greg.Machin at openpolytechnic.ac.nz> wrote:> Hi. > > I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind ?bind-chroot-9.3.6-4.P1.el5_5.3? when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to. >Please check out: https://access.redhat.com/security/updates/backporting/?sc_cid=3093 RHEL maintains application binary interfaces during the lifetime of their releases. Only for applications that can no longer be feasibly maintained through backporting (ie firefox) do they update the version mid release. A lot of people don't understand the backporting way of maintaining a stable platform across a release, it took me a while to appreciate it. -Ross -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110223/b46d1cfd/attachment.html>
On 02/23/11 6:08 PM, Machin, Greg wrote:> > Hi. > > I have had an enquiry from the Network and Security guy. He wants to > know why CentOS 5.5 /RHEL 5 is using a very old version of bind > ?bind-chroot-9.3.6-4.P1.el5_5.3? when the latest release that has many > security fixes is on 9.7.3 . I understand that its to maintain a known > stable platform by in introducing new elements etc .. Is there an > official explanation / document that I can direct him to. > >to put it bluntly, your security guy is pretty much worthless as such if he thinks security is audited by checking version numbers. sadly, this is too common.
On 25/02/2011 1:13 PM, Scott Robbins wrote:> On Thu, Feb 24, 2011 at 08:04:08PM -0600, Les Mikesell wrote: >> Can someone remind me why VMware server 2.x broke with a RHEL/CentOS 5.x glibc >> update? I switched back to 1.x which I like better anyway, but if the reason >> for putting up with oldness is to keep that from happening, it didn't work. > You may want to try VMware-player if you, (like almost everyone else) > preferred 1.x to 2.x. The later versions of player are more like 1.x, > allowing you to install an operating system from ISO or whatever, and > work quite well with 64 bit CentOS.I have begun to switch all my hosts without hardware virtualization, so can't use ESXi, to VirtualBox. With the addition of an init.d script it works well as a headless virtual host. The VirtualBox commandline support is far superior to VMware Server. With the help of puppet I have automated the entire host install, configuration, guest vm creation and guest install and configuration. VirtualBox was far easier to wrap puppet around than VMware Server was too. Ben
On 25/02/2011 4:51 PM, John R Pierce wrote:> On 02/24/11 9:18 PM, Ben wrote: >> I have begun to switch all my hosts without hardware virtualization, so >> can't use ESXi, to VirtualBox. > ESXi only needs hardware virtualization support for 64bit guest VMs. > as long as you can live with 32bit VMs, you're good with older CPUs. I > have it running a dozen or more VMs on a quad Opteron 850 system (4 x > single core 2.4Ghz) > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Thanks, I did not know that. I could've swarn I had tested it on some old IBM x306. Will have to take a look into that. I still like that automation that I get with CentOS, puppet and VirtualBox. Ben
On Friday, February 25, 2011 11:04:23 am Les Mikesell wrote:> RHEL5 was never a 'supported' > platform, so a stable module wasn't included.According to VMware's documentation, RHEL5 was and is a fully supported platform for VMware Server 2.0 (see page 26 of the current 'VMware Server User's Guide' available at vmware.com for confirmation). The binary modules are found, for the x86_64 distribution, in vmware-server-distrib/lib/modules/binary/bld-2.6.18-8.el5-x86_64smp-RHEL5/ VMware Workstation has no issues with the glibc update; VMware is just not properly supporting VMware Server, has nothing to do with Red Hat (Ubuntu is also listed as a supported OS, yet when you do the glibc update that matches the one that causes the issues on RHEL, the same thing happens there). VMware would prefer you run ESX or ESXi instead of 'ye olde' GSX product now known as VMware Server.