We did a PCI compliance scan on our CentOS 5.10 and the following vulnerabilities showed up... are there any plans from CentOS to update the affected RPM's to address these vulnerabilities?
1.1.1. For portmapper
These vulnerabilities can be resolved by performing the following 5 steps. The total estimated time to perform all of these steps is 16
hours.
Upgrade librpcsecgss to 0.15.
Estimated time: 2 hours
Download and apply the upgrade from: http://www.citi.umich.edu/projects/nfsv ... rpcsecgss/
This will address 2 instances of the following issue: Kerberos "svcauth_gss_validate()" Buffer Overflow Vulnerability (kerberos-svc-authgss-
buffer-overflow).
Upgrade libtirpc to 0.1.8.
Estimated time: 2 hours
Download and apply the upgrade from: http://sourceforge.net/projects/libtirpc/files/
This will address 2 instances of the following issue: Kerberos "svcauth_gss_validate()" Buffer Overflow Vulnerability (kerberos-svc-authgss-
buffer-overflow).
Upgrade Kerberos 5 to 1.5.5.
Estimated time: 2 hours
Download and apply the upgrade from: http://web.mit.edu/Kerberos/krb5-1.5/
This will address 2 instances of the following issue: Kerberos "svcauth_gss_validate()" Buffer Overflow Vulnerability (kerberos-svc-authgss-
buffer-overflow).
Upgrade Kerberos 5 to 1.6.3.
Estimated time: 2 hours
Download and apply the upgrade from: http://web.mit.edu/Kerberos/krb5-1.6/
This will address 2 instances of the following issue: Kerberos "svcauth_gss_validate()" Buffer Overflow Vulnerability (kerberos-svc-authgss-
buffer-overflow).
Fix affected libraries
Estimated time: 8 hours
Upgrade libnsl, libc, glibc, dietlibc and any other affected libraries to the newest version.
This will address 2 instances of the following issue: "xdrmem_getbytes()" Integer Overflow Vulnerability (xdrmem-getbytes-integeroverflow).
PCI Compliance Vulnerbilities
-
gerald_clark
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: PCI Compliance Vulnerbilities
You can't go by version numbers.
http://wiki.centos.org/FAQ/General read item 23.
http://wiki.centos.org/FAQ/General read item 23.
Re: PCI Compliance Vulnerbilities
And in case it's not obvious... do not do any of those upgrades!
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
Super Jamie
- Posts: 310
- Joined: 2014/01/10 23:44:51
Re: PCI Compliance Vulnerbilities
Push your compliance scanner vendor to provide CVE numbers instead of meaningless garbage.
Check the relevant CVEs on the CVE database:
https://access.redhat.com/security/cve/
Check the relevant CVEs on the CVE database:
https://access.redhat.com/security/cve/