Does anyone know the time-frame when security updates might be published for these applications in CentOS 5? wireshark postgresql krb5 java-1.6.0-openjdk java-1.6.0-sun The following security updates have been published upstream (after release of RHEL 5.6) to remedy the vulnerabilities described in their associated CVE reports. Remotely Exploitable: (R) RHSA-2011:0013: Moderate: wireshark security update 1/10/11 [CVE-2010-4538] (R) RHSA-2011:0197: Moderate: postgresql security update 2/3/11 [CVE-2010-4015] (R) RHSA-2011:0199: Important: krb5 security update 2/8/11 [CVE-2011-0281] (R) [CVE-2011-0282] (R) RHSA-2011:0281: Important: java-1.6.0-openjdk security update 2/17/11 CVE-2010-4448 (R) CVE-2010-4450 CVE-2010-4465 (R) CVE-2010-4469 (R) CVE-2010-4470 (R) CVE-2010-4472 (R) RHSA-2011:0282: Critical: java-1.6.0-sun security update 2/17/11 CVE-2010-4422 (R) CVE-2010-4447 (R) CVE-2010-4448 (R) CVE-2010-4450 CVE-2010-4451 (R) CVE-2010-4452 (R) CVE-2010-4454 (R) CVE-2010-4462 (R) CVE-2010-4463 (R) CVE-2010-4465 (R) CVE-2010-4466 (R) CVE-2010-4467 (R) CVE-2010-4468 (R) CVE-2010-4469 (R) CVE-2010-4470 (R) CVE-2010-4471 (R) CVE-2010-4472 (R) CVE-2010-4473 (R) CVE-2010-4475 (R) CVE-2010-4476 (R) I know the development team is furiously working to get 5.6 out the door so I understand that there will be delays. However, it was my understanding that "Critical" security updates and those that are "remotely exploitable" would be pushed out ahead of 5.6. If 5.6 is not forthcoming I think many of us would like to see at least the security updates to cover potential vulnerabilities. Many thanks to the development team for all their hard work! :-) Respectfully, Cal Webster
On Thu, 2011-02-24 at 14:02 -0500, Cal Webster wrote:> Does anyone know the time-frame when security updates might be published > for these applications in CentOS 5? > > wireshark > postgresql > krb5 > java-1.6.0-openjdk > java-1.6.0-sunDon't use anyone of these privately (on desktop, laptop etc.) or publicly on any of the servers. -- With best regards, Paul. England, EU.
On Thu, 24 Feb 2011, Cal Webster wrote:> java-1.6.0-sunnon FOSS, non-source provided, no? This is in an addon channel in RHEL, and so far as I know we have never shipped such Of the others the wireshark update is a periodic update of some edge case dissectors [these developers are quite good about releasing time based 'fixes' for their tool -- a different model than upstream, but perfectly valid], and if nominally remotely exploitable, as a practical matter, not a material threat The kerberos update crossed vendor-sec, but seems again to be an edge case hole The pgsql update is nominally exploitable, but any sensible environment uses iptables and network segment isolation rather than adding a world listening daemon I have commented earlier on my distress at the openjdk update NOT crossing vendor-sec. This said, again, who in their right mind exposes an unprotected Java listener application to the wild? I saw that another in the project mentioned 'bypassing' the 5.6 respin and testing delays for truly exploitable matter. The potential 'bind' updates dos attack vector turned out not to affect anything CentOS has shipped in base and updates, and so was a 'false positive' as prior discusseio here has noted If one wants SLA and deterministic intervals between announcement and release, it is just not that hard to set up one off building and updates from released sources upstream, and so one can have it at the price of a little learning and experimentation. Alternatively, CentOS releases promptly on the usual norm, and during 'point' update times, falls back to trying to avoid 'dependency skew' problems by considering the potential disruption for millions of machines each needing manual depsolving intervention, vs. getting the nest update build and QA's and out the door in a durable fashion. If that is not 'quick enough', see the prior paragraph about self-building; or seek a vendor who will sell you the SLA you deem you require. This is a simple 'build vs buy' decision [I might note that I have seen NO filed bug in the CentOS tracker asserting a need for any of the listed updates on an expedited basis] -- Russ herrold
On Thu, Feb 24, 2011 at 11:02 AM, Cal Webster <cwebster at ec.rr.com> wrote:> I know the development team is furiously working to get 5.6 out the door > so I understand that there will be delays. However, it was my > understanding that "Critical" security updates and those that are > "remotely exploitable" would be pushed out ahead of 5.6.That is my understanding, too. However, I see that the only "Critical" one on your list is java-1.6.0-sun. This is not included in CentOS... Akemi