Centos 7.8 Security updates missing

Support for security such as Firewalls and securing linux
Post Reply
Aurélien
Posts: 2
Joined: 2020/10/14 14:20:04

Centos 7.8 Security updates missing

Post by Aurélien » 2020/10/14 14:26:58

Hello !

I've stumbled upon some CVE which are already resolved on RHEL but not yet on Centos.
I know that there may have a delay but usually this one is quite short.

Here are what i've found:

CVE-2019-15903
Impacting the expat package : patched version is 2.1.0-12.el7 but on centos updates channel there only is 2.1.0-11.el7
Related RHSA : https://access.redhat.com/errata/RHSA-2020:3952

CVE-2019-19059
Impacting the kernel package patched version is 3.10-0-1060.el7 but on centos updates channel there is only 3.10.0-1127.19.1.el7
Related RHSA : https://access.redhat.com/errata/RHSA-2020:4060

Do you know why this is not patched yet?

Thank you very much !

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 7.8 Security updates missing

Post by TrevorH » 2020/10/14 15:14:36

These are all part of RHEL 7.9 and will be available once CentOS 7.9 is built and released. Until then, you have to wait.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Aurélien
Posts: 2
Joined: 2020/10/14 14:20:04

Re: Centos 7.8 Security updates missing

Post by Aurélien » 2020/10/15 12:16:58

Okay thank you very much for your answer.
I'll wait patiently then :)

Ramesh Radhakrishnan
Posts: 1
Joined: 2020/10/16 09:23:02

Re: Centos 7.8 Security updates missing

Post by Ramesh Radhakrishnan » 2020/10/16 09:53:05

it was noticed that a number of CVS entries are reported by VA scan tools. some of the following CVS entries are reported.
CVE-2017-12652,CVE-2019-12450,CVE-2019-5482,CVE-2019-11756,CVE-2019-17498,CVE-2018-20836,CVE-2019-19807,CVE-2019-19447,CVE-2019-19956,CVE-2020-12243,CVE-2020-1749,CVE-2019-11719,CVE-2019-15903,CVE-2018-20843,CVE-2020-7595,CVE-2019-2038,CVE-2019-14866,CVE-2019-12749,CVE-2020-9383,CVE-2019-14822,CVE-2020-12825.
if you are using the CentOS 7.8 and hosting web server, how critical or risky these CVS entries are? can we continue ignoring the CVS entries and wait for CentOS 7.9. or use patches from other distributions and apply to the system?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 7.8 Security updates missing

Post by TrevorH » 2020/10/16 21:47:32

You can't use patches from other distros without destroying or severely damaging your system. Do not do so.

There is always a lag between a RHEL point release and the corresponding CentOS one. It's down to the way that Red Hat release things and there is nothing that can be done to address that. Well, unless you personally know the CEO of RH and can convince him to change the way they work!

You will need to take each of those CVE numbers and look them up on the Red Hat CVE page and see what they say about them to know whether they are serious or not. They list them all for reference and tell you the severity and/or whether they even apply to your RHEL/CentOS version at all - use https://access.redhat.com/security/cve/CVE-yyyy-nnnnn to view each one in turn. And since you're the one that's interested, you can helpfully report back as to which ones you think are dangerous and need patching once you've done that.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply