Page 1 of 1

cve-2020-25284

Posted: 2020/12/26 08:35:48
by mania
Hi,
I have a server on CentOS 7.6(18010), I searched for cve-2020-25284 to know if it is vulnerable? as you can see in the below link this CVE is Out of support scope for RedHat Enterprise 7 while EOL on CentOS7 is 2024.
what does it mean actually? Is CentOS 7.6 vulnerable and how can I mitigate?


https://access.redhat.com/security/cve/cve-2020-25284

Re: cve-2020-25284

Posted: 2020/12/26 11:49:46
by MartinR
C7.6 went out of support on 17 September last year when 7.7-1908 was released. C7.7 also went out of support on 27 April this year when 7.8-2003 came out. Guess what, that has also been superseded, on 12 November by 7.9-2009. You have therefore had no support for 15 months, 3 point releases and several updates. Who kbnows if you are vulnerable? Who (apart from yourself) cares? Update to the latest version ASAP if you have any connection from your machine to the internet.

Re: cve-2020-25284

Posted: 2020/12/26 12:25:29
by mania
I dont have Internet access at all, in the other words it is forbidden in the datacenter which my server is located . Is there any way to download and install it offline? Is there any patch?

Re: cve-2020-25284

Posted: 2020/12/26 13:21:34
by mania
as you can see in that link version of CentOs does not mentioned. I think it is not related to version and it talk about Red Hat Enterprise Linux 7 .

Red Hat Enterprise Linux 7 kernel-rt Out of support scope

Re: cve-2020-25284

Posted: 2020/12/26 15:16:18
by TrevorH
The link you provided has a workaround by blacklisting the module. If it cannot be loaded then the vulnerbility is mitigated.

Re: cve-2020-25284

Posted: 2020/12/27 06:52:01
by mania
this CVE is not so important to me . I am moving from CentOs7.6 to 7.9 , I decided to have fresh installation of CentOS7.9. Therefore I want to know if Redhat support CentOS7.9 and can I resolve future Vulnerability?

Re: cve-2020-25284

Posted: 2020/12/27 09:39:12
by jlehtone
Red Hat does provide support for RHEL 7 (paid subscriptions) and will provide (security) fixes to RHEL 7 until 2024.
Red Hat allows (funds) CentOS project to rebuild RHEL 7 public sources into CentOS Linux 7 packages (until 2024).