On 03/03/2016 02:58 PM, Mark Milhollan wrote:> On Wed, 2 Mar 2016, Johnny Hughes wrote: >> On 03/02/2016 10:42 AM, Mark Milhollan wrote: > >>> I wish --security was functional > >>> I hope that the lack is not due to >>> the assumed use resulting in it being ignored. >> >> That is not the reason, > >> We do not have enough space on donated mirrors > > Surely the data could be tailored to provide only that which applies to > the current set of RPMs. Do we know that yum will fail if RPMs are > cited in the file but which are not available for install?Whose current set .. your's or the guy that hasn't done an update since 2007? Te problem is, if we say we support the security plugin, then it has to be able to update ANY configuration and all security updates. Let's say that you are on 6.4 right now, there is a security update in 6.5 and 6.6, and there is a bugfix update in 6.7 (current version), you run the security plugin and it says .. no security updates (because the 6.7 update is only a bugfix). You are instead behind and have a security problem .. no, you have to have all or it doesn't work, and it then causes people to think they are OKwhen they are not.> >> the data required for the xml file is not redistributable. > > That does sound like it is being ignored, because you know you can't do > it. > > As things stand. > > (I think you should put all this in an/the FAQ then point people to it, > instead of sending large swaths of the same words yet again, which must > surely be frustrating.) > > But the project could lobby Red Hat for access to the file, whether for > just CentOS (RH has done things just for CentOS before) or for the wider > community of rebuilders. I can't know if this has been attempted, but > it has not been mentioned as having been asked. >One of the things RHEL does that CentOS doesn't do (and has never done) is verify security issues, verify fixes correct those issues and provide assurance that they are fixed. They is why RHEL is a paid product and CentOS is free. <snip> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160307/5f5e52f0/attachment-0001.sig>
Hey all, Sorry to jump in here but out of curiosity, has the patch actually been back ported to earlier versions of OpenSSL regarding the recent DROWN attack? I've checked the RPM change log and nothing's been mentioned relating to CVE-2016-0800 (I think that was the CVE number). Or is this thread not relating to that vulnerability? Kind regards James Washington> On 7 Mar 2016, at 16:34, Johnny Hughes <johnny at centos.org> wrote: > >> On 03/03/2016 02:58 PM, Mark Milhollan wrote: >>> On Wed, 2 Mar 2016, Johnny Hughes wrote: >>> On 03/02/2016 10:42 AM, Mark Milhollan wrote: >> >>>> I wish --security was functional >> >>>> I hope that the lack is not due to >>>> the assumed use resulting in it being ignored. >>> >>> That is not the reason, >> >>> We do not have enough space on donated mirrors >> >> Surely the data could be tailored to provide only that which applies to >> the current set of RPMs. Do we know that yum will fail if RPMs are >> cited in the file but which are not available for install? > > Whose current set .. your's or the guy that hasn't done an update since > 2007? > > Te problem is, if we say we support the security plugin, then it has to > be able to update ANY configuration and all security updates. > > Let's say that you are on 6.4 right now, there is a security update in > 6.5 and 6.6, and there is a bugfix update in 6.7 (current version), you > run the security plugin and it says .. no security updates (because the > 6.7 update is only a bugfix). > > You are instead behind and have a security problem .. no, you have to > have all or it doesn't work, and it then causes people to think they are > OKwhen they are not. > >> >>> the data required for the xml file is not redistributable. >> >> That does sound like it is being ignored, because you know you can't do >> it. >> >> As things stand. >> >> (I think you should put all this in an/the FAQ then point people to it, >> instead of sending large swaths of the same words yet again, which must >> surely be frustrating.) >> >> But the project could lobby Red Hat for access to the file, whether for >> just CentOS (RH has done things just for CentOS before) or for the wider >> community of rebuilders. I can't know if this has been attempted, but >> it has not been mentioned as having been asked. > > One of the things RHEL does that CentOS doesn't do (and has never done) > is verify security issues, verify fixes correct those issues and provide > assurance that they are fixed. They is why RHEL is a paid product and > CentOS is free. > > <snip> > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On 03/07/2016 10:14 AM, James Washington wrote:> Hey all, > > Sorry to jump in here but out of curiosity, has the patch actually been back ported to earlier versions of OpenSSL regarding the recent DROWN attack? I've checked the RPM change log and nothing's been mentioned relating to CVE-2016-0800 (I think that was the CVE number). Or is this thread not relating to that vulnerability? > > Kind regards > > James WashingtonDrown depends upon SSLv2 I'm not sure if this removed SSLv2 or not but I am not personally aware of any public services that enabled SSLv2 by default in CentOS 7 anyway, so unless you have a service supporting SSLv2 you are not vulnerable to DROWN. Reality is, you should not have either SSLv2 or SSLv3 enabled on any service and disabling was best practice long before DROWN.
On 03/07/2016 12:14 PM, James Washington wrote:> Hey all, > > Sorry to jump in here but out of curiosity, has the patch actually been back ported to earlier versions of OpenSSL regarding the recent DROWN attack? I've checked the RPM change log and nothing's been mentioned relating to CVE-2016-0800 (I think that was the CVE number). Or is this thread not relating to that vulnerability? > > Kind regardsYes, this update addresses Drown .. but installing the update alone is not enough, you also have to turn off SSLv2 You can see how to do that for many different services here: https://access.redhat.com/articles/1462183 And lots of info here: https://access.redhat.com/security/vulnerabilities/drown -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160307/69f7eab4/attachment-0001.sig>
Apparently Analagous Threads
- OpenSSL Update - not a security update???
- OpenSSL Update - not a security update???
- OpenSSL Update - not a security update???
- a bit further along - OpenSSL - Re: trouble compiling Dovecot 2.2.31 on Solaris 10 SPARC - libssl_iostream_openssl.so is not portable!
- a bit further along - OpenSSL - Re: trouble compiling Dovecot 2.2.31 on Solaris 10 SPARC - libssl_iostream_openssl.so is not portable!