Thanks for the replies. The tool that we used for testing the security vulnerability is "Nessus". I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is fixed in this version and I want to apply patch for the vulnerbailities CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the right version that has fixes for these? Thanks On Sat, Apr 25, 2015 at 1:05 AM, <m.roth at 5-cent.us> wrote:> John R Pierce wrote: > > On 4/24/2015 12:14 PM, Alexander Dalloz wrote: > >> Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku: > >>> I was using CentOS 7 and when I ran some custom commercial security > >>> scan on > >>> my machine, I found about 122 vulnerabilities. > >> > >> That's why those scans are wasted money. From a security management > >> point of view they neither help you nor your manager. > > > > I call it 'security by bullet list' > > I would be more interested if the OP had mentioned *what* "custom > commercial security scan" tool they'd used. > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- Thanks & Regards, Venkateswara Rao Dokku.
On Mon, Apr 27, 2015 at 02:39:30PM +0530, Venkateswara Rao Dokku wrote:> Thanks for the replies. The tool that we used for testing the security > vulnerability is "Nessus". > > I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is fixed > in this version and I want to apply patch for the vulnerbailities > CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the right > version that has fixes for these?You have the latest glibc package available. Checking upstream, Red Hat has their CVE information here: https://access.redhat.com/security/cve/CVE-2015-1472 https://access.redhat.com/security/cve/CVE-2015-1473 If you look at the CVE page for the Ghost vulnerability (https://access.redhat.com/security/cve/CVE-2015-0235) it links to any security advisories which would include an update. Both 1472 and 1473 are marked as 'Low' impact so I suspect there won't be any updated package to address it until later. I would STRONGLY suggest against attempting to build your own glibc. -- Jonathan Billings <billings at negate.org>
On 04/27/2015 02:09 AM, Venkateswara Rao Dokku wrote:> Can you please help me in finding the right > version that has fixes for these?Start by accessing Red Hat's CVE database: https://access.redhat.com/security/cve/ If errata have been published for a CVE entry, they will be listed along with other details.
On Mon, April 27, 2015 12:01 pm, Jonathan Billings wrote:> On Mon, Apr 27, 2015 at 02:39:30PM +0530, Venkateswara Rao Dokku wrote: >> Thanks for the replies. The tool that we used for testing the security >> vulnerability is "Nessus". >> >> I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is >> fixed >> in this version and I want to apply patch for the vulnerbailities >> CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the >> right >> version that has fixes for these? > > You have the latest glibc package available. > > Checking upstream, Red Hat has their CVE information here: > > https://access.redhat.com/security/cve/CVE-2015-1472 > https://access.redhat.com/security/cve/CVE-2015-1473 > > If you look at the CVE page for the Ghost vulnerability > (https://access.redhat.com/security/cve/CVE-2015-0235) it links to any > security advisories which would include an update. Both 1472 and 1473 > are marked as 'Low' impact so I suspect there won't be any updated > package to address it until later. > > I would STRONGLY suggest against attempting to build your own glibc. >This reminds me about old times when RedHat was backporting security patches to older versions of software (whenever applicable) thus keeping the system secure, yet keeping all relying on software internals (which may change with version) still working. This kind of makes "security analyzers" relying on software versions more misleading than helpful. Especially if the sysadmin does his job (sometimes we had to keep older version in place working around some vulnerability to have our system not vulnerable - e.g. turned off ciphers in case of "poodle"). I am not saying anything about Nessus which I never used. Having a good system, fully updated ( unnecessary services turned of, etc. all done according to securing system checklist) would be the best thing to have. Those security tools... I wish none of good sysadmins has less knowledgeable supervisor armed with one or few of these vulnerability checkers ;-) Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 04/27/2015 04:09 AM, Venkateswara Rao Dokku wrote:> Thanks for the replies. The tool that we used for testing the security > vulnerability is "Nessus". > > I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is fixed > in this version and I want to apply patch for the vulnerbailities > CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the right > version that has fixes for these? > > ThanksI don't know how Nessus works, BUT it seems you need to load all the CentOS Plugins to get it to understand the checks: http://www.tenable.com/plugins/index.php?view=all&family=CentOS+Local+Security+Checks I have NO IDEA if those are correct or how up2date they are, etc. But if you are not loading them, you have no chance of it understanding the backporting that redhat does.> > On Sat, Apr 25, 2015 at 1:05 AM, <m.roth at 5-cent.us> wrote: > >> John R Pierce wrote: >>> On 4/24/2015 12:14 PM, Alexander Dalloz wrote: >>>> Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku: >>>>> I was using CentOS 7 and when I ran some custom commercial security >>>>> scan on >>>>> my machine, I found about 122 vulnerabilities. >>>> >>>> That's why those scans are wasted money. From a security management >>>> point of view they neither help you nor your manager. >>> >>> I call it 'security by bullet list' >> >> I would be more interested if the OP had mentioned *what* "custom >> commercial security scan" tool they'd used.-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150427/975a448b/attachment-0001.sig>
Hi, I have php 5.4.16 php in my centos 7 machine & when I searched over internet I could see it is effected by some vulenrabilities. So I wanted to upgrade my PHP to 5.6.x, but did not find procedure for it. When I tried yum upgrade php, it says "no packages marked for update" Can you please give me some pointers so that I can continue. On Tue, Apr 28, 2015 at 2:11 AM, Johnny Hughes <johnny at centos.org> wrote:> On 04/27/2015 04:09 AM, Venkateswara Rao Dokku wrote: > > Thanks for the replies. The tool that we used for testing the security > > vulnerability is "Nessus". > > > > I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is > fixed > > in this version and I want to apply patch for the vulnerbailities > > CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the > right > > version that has fixes for these? > > > > Thanks > > > I don't know how Nessus works, BUT it seems you need to load all the > CentOS Plugins to get it to understand the checks: > > > http://www.tenable.com/plugins/index.php?view=all&family=CentOS+Local+Security+Checks > > I have NO IDEA if those are correct or how up2date they are, etc. But > if you are not loading them, you have no chance of it understanding the > backporting that redhat does. > > > > > On Sat, Apr 25, 2015 at 1:05 AM, <m.roth at 5-cent.us> wrote: > > > >> John R Pierce wrote: > >>> On 4/24/2015 12:14 PM, Alexander Dalloz wrote: > >>>> Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku: > >>>>> I was using CentOS 7 and when I ran some custom commercial security > >>>>> scan on > >>>>> my machine, I found about 122 vulnerabilities. > >>>> > >>>> That's why those scans are wasted money. From a security management > >>>> point of view they neither help you nor your manager. > >>> > >>> I call it 'security by bullet list' > >> > >> I would be more interested if the OP had mentioned *what* "custom > >> commercial security scan" tool they'd used. > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >-- Thanks & Regards, Venkateswara Rao Dokku.