Page 1 of 1

Centos 7.8 Security updates missing

Posted: 2020/10/14 14:26:58
by Aurélien
Hello !

I've stumbled upon some CVE which are already resolved on RHEL but not yet on Centos.
I know that there may have a delay but usually this one is quite short.

Here are what i've found:

Impacting the expat package : patched version is 2.1.0-12.el7 but on centos updates channel there only is 2.1.0-11.el7
Related RHSA :

Impacting the kernel package patched version is 3.10-0-1060.el7 but on centos updates channel there is only 3.10.0-1127.19.1.el7
Related RHSA :

Do you know why this is not patched yet?

Thank you very much !

Re: Centos 7.8 Security updates missing

Posted: 2020/10/14 15:14:36
by TrevorH
These are all part of RHEL 7.9 and will be available once CentOS 7.9 is built and released. Until then, you have to wait.

Re: Centos 7.8 Security updates missing

Posted: 2020/10/15 12:16:58
by Aurélien
Okay thank you very much for your answer.
I'll wait patiently then :)

Re: Centos 7.8 Security updates missing

Posted: 2020/10/16 09:53:05
by Ramesh Radhakrishnan
it was noticed that a number of CVS entries are reported by VA scan tools. some of the following CVS entries are reported.
if you are using the CentOS 7.8 and hosting web server, how critical or risky these CVS entries are? can we continue ignoring the CVS entries and wait for CentOS 7.9. or use patches from other distributions and apply to the system?

Re: Centos 7.8 Security updates missing

Posted: 2020/10/16 21:47:32
by TrevorH
You can't use patches from other distros without destroying or severely damaging your system. Do not do so.

There is always a lag between a RHEL point release and the corresponding CentOS one. It's down to the way that Red Hat release things and there is nothing that can be done to address that. Well, unless you personally know the CEO of RH and can convince him to change the way they work!

You will need to take each of those CVE numbers and look them up on the Red Hat CVE page and see what they say about them to know whether they are serious or not. They list them all for reference and tell you the severity and/or whether they even apply to your RHEL/CentOS version at all - use to view each one in turn. And since you're the one that's interested, you can helpfully report back as to which ones you think are dangerous and need patching once you've done that.