CentOS update "policies"

If it doesn't fit in another category, ask it here.
Post Reply
Erik
Posts: 2
Joined: 2011/04/14 13:32:51

CentOS update "policies"

Post by Erik » 2011/04/14 13:47:23

Hi,

I own a dedicated server that runs CentOS while i like the operating system verry much there's one thing i don't like and that's the way packages are updated.For example let's take openSSL.Every now and then security vulnerabilities are discoverd and CentOS will patch the hole but they will not update the verrsion number....... This causes tools like rkhunter to display warnings (about outdated software while it's actually not) it is verry annoying and confusing how are we serverowners suppose to know when a warning can be safely ignored ?? that's a point i seriously dislike what can i do about it ?

Erik

herrold
Posts: 100
Joined: 2005/03/19 22:14:28
Contact:

CentOS update "policies"

Post by herrold » 2011/04/14 14:31:05

so ... You have a problem that the tool that you are using 'rkhunter' is reporting 'false positives, because it is using a poor method to detect potentially vulnerable code, and has not been fixed to do a better job yet. Clearly CentOS and its upstream have a substantial market share and they have chosen to ignore addressing it ...

Have you asked them to fix the matter? What is their timetable to do so?

-- Russ herrold

User avatar
toracat
Forum Moderator
Posts: 7439
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: CentOS update "policies"

Post by toracat » 2011/04/14 15:41:13

[quote]
Erik wrote:

I own a dedicated server that runs CentOS while i like the operating system verry much there's one thing i don't like and that's the way packages are updated.For example let's take openSSL.Every now and then security vulnerabilities are discoverd and CentOS will patch the hole but they will not update the verrsion number.[/quote]
CentOS is a clone of the upstream product. Version numbers and all are supposed to match upstream. So, the only way to get your voice heard is to contact them. This explains why version numbers do not change throughout a given major release:

https://access.redhat.com/security/updates/backporting/

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: CentOS update "policies"

Post by pschaff » 2011/04/14 19:53:14

In my experience with rkhunter configuring it correctly then using "rkhunter --update --propupd" takes care of most of these problems.

As others have pointed out, the version numbers are not a CentOS decision.

Post Reply

Return to “CentOS 5 - Miscellaneous Questions”