similar to: Modifying RHEL OVAL CVE feed for use with CentOS 7

Dear List, I have spent some time playing around with oscap and the RHEL OVAL feed (https://www.redhat.com/security/data/oval/v2/RHEL8/, also check Chapter 16 of the RHEL 8 Design Guide). Because I could not find an existing OVAL file for CentOS, I downloaded one of the RHEL8 files and managed to modify (eg. the rhel-8.1-e4s.oval.xml) it to make it work on a CentOS machine. Basically I just

On 8/5/20 10:45 AM, centos at niob.at wrote: > On 05/08/2020 16:49, Johnny Hughes wrote: >> On 8/5/20 1:05 AM, centos at niob.at wrote: >>> On 04/08/2020 23:50, Jon Pruente wrote: >>>> On Tue, Aug 4, 2020 at 11:34 AM <centos at niob.at> wrote: >>>> >>>>> Q5) If the answer to the last question is "no": shouldn't there be

On 8/5/20 1:05 AM, centos at niob.at wrote: > On 04/08/2020 23:50, Jon Pruente wrote: >> On Tue, Aug 4, 2020 at 11:34 AM <centos at niob.at> wrote: >> >>> Q5) If the answer to the last question is "no": shouldn't there be such >>> a resource? >>> >> CentOS doesn't publish security errata. If you need it then you should

On 05/08/2020 16:49, Johnny Hughes wrote: > On 8/5/20 1:05 AM, centos at niob.at wrote: >> On 04/08/2020 23:50, Jon Pruente wrote: >>> On Tue, Aug 4, 2020 at 11:34 AM <centos at niob.at> wrote: >>> >>>> Q5) If the answer to the last question is "no": shouldn't there be such >>>> a resource? >>>> >>> CentOS

On 04/08/2020 23:50, Jon Pruente wrote: > On Tue, Aug 4, 2020 at 11:34 AM <centos at niob.at> wrote: > >> Q5) If the answer to the last question is "no": shouldn't there be such >> a resource? >> > CentOS doesn't publish security errata. If you need it then you should > either buy RHEL, or deal with putting together your own set up with >

We use oval to check the system vulnerability. Redhat offer official oval(https://www.redhat.com/security/data/oval/), and it works well on redhat. There is no official centos oval, and using redhat oval on centos got false results. centos is based redhat, so I wrote a script fetch redhat oval files and convert it to useful for centos. And I push the oval to my github:

On 9/3/19 3:27 AM, Sep0lkit wrote: > We use oval to check the system vulnerability. > > Redhat offer official oval(https://www.redhat.com/security/data/oval/), and > it works well on redhat. > > There is no official centos oval, and using redhat oval on centos got > false results. > centos is based redhat, so I wrote a script fetch redhat oval files and > convert it

Hi, I would like to know if there is some feed for OVAL checks like in Redhat: https://www.redhat.com/security/data/oval/. Documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Practical_Examples.html#sect-Auditing_Security_Vulnerabilities_Example Other distributions have an oval feed: - Redhat:

Hi all, Much like Ubuntu and Debian teams have OVAL content published for detecting vulnerabilities, are there plans of publishing such content? e.g. https://people.canonical.com/~ubuntu-security/oval/ On a related note, has anybody looked into using RHEL oval content on CentOS?

On Tue, Aug 4, 2020 at 11:34 AM <centos at niob.at> wrote: > Q5) If the answer to the last question is "no": shouldn't there be such > a resource? > CentOS doesn't publish security errata. If you need it then you should either buy RHEL, or deal with putting together your own set up with something like http://cefs.steve-meier.de/

Hi Ralph and libvorbis developers, I thought the vorbis gitlab project was the main development site (https://gitlab.xiph.org/xiph/vorbis) because that's what the NVD CVE tracker points to for the two CVEs I mentioned. But I just realized there's also a vorbis github project (https://github.com/xiph/vorbis). Both appear to have recent activity. Is the gitlab project the correct one

Ok, I wasn't able to track down the original steps to reproduce this issue,s but we believe CVE-2018-10393 is a dupiicate of CVE-2017-14160, both fixed by commit 018ca26dece6. Because of the confusion, I added additional bounds checks to the bark_noise_hybridmp function, which make it clear to local analysis that no for bugs in this class are possible. This change is in commit a9eb99a5bd6f.

hi: where would I find facilities to draw circles, ovals, and semicircles? (or should I construct them myself using curve?) regards, /ivo

Hi Ellen, Thanks for your kind offer to help the release along. We have indeed been having trouble finding resources for that. You can certainly help by testing the git master branch with your software and reporting any issues you find. Otherwise, triaging outstanding bug reports and patches is always helpful, although that's not essential for a security-based release. I'll try to find

Yes, the gitlab instance is the correct upstream development repository. We maintain a mirror at github for the convenience of developers there. Cheers, Ralph On Mon, 2020-06-29 at 21:27 +0000, Ellen Johnson wrote: > Hi Ralph and libvorbis developers, > I thought the vorbis gitlab project was the main development site ( > https://gitlab.xiph.org/xiph/vorbis) because that's what

Hello, will there be updates for these CVEs for CentOS 6? Thanks, Walter

Hi, Is the command #yum list-sec cves still compatible with Centos7? Or are there alternatives to list all CVE applicable to a CentOS without the Satellite? Thanks

Hi - I?m running the OpenSCAP STIG profile on a new CentOS 7.1611 installation, and I get a few failures that look like this (output from openscap scan ?verbosity INFO). I suspect this is because the openscap module is not accepting CentOS 7 as RHEL 7 for rules purposes, despite an early check for "Community Enterprise Operating System 7? which succeeds. 1. Am I correct in why it?s

Source: xen Version: 4.17.0+46-gaaf74a532c-1 Severity: grave Tags: security upstream X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org> Hi, The following vulnerabilities were published for xen. CVE-2022-42331[0]: | x86: speculative vulnerability in 32bit SYSCALL path Due to an | oversight in the very original Spectre/Meltdown security work | (XSA-254),

Hi Ralph, Thank you for your reply! For context -- we consider reported CVEs as bugs even if it's in a third-party library we use (such as libvorbis). We first determine if the CVE is something that would impact our customer workflows. In this case because of our use of libvorbis for audio I/O, it does impact our customers so we need to resolve the CVE as soon as possible. In the