confusion about CESA in CentOS

Support for security such as Firewalls and securing linux
Post Reply
fuzzy4096
Posts: 12
Joined: 2020/12/14 16:29:11

confusion about CESA in CentOS

Post by fuzzy4096 » 2021/03/02 12:06:01

Hi, Qualys is reporting that I'm missing CentOS Security Updates, for example:

CESA-2017:1100 for CentOS 7.3.1611

CESA-2020:4060 and many other's for CentOS 7.8.2003

CESA-2021:0153 any many other's for CentOS 7.9.2009


I have basically two questions.

a) How to install this CESA'a ? I also was thinking that installing updates via RHSA, checking based on CVE's is only available for RHEL system with the yum-plugin-security plugin installed. What am I missing here ? Or is it still just running yum update or should / could I selectively install / upgrade packages mentioned in the CESA'a ?

b) Since I know that CentOS provides updates for the latest minor version in a given branch, the CentOS 7.3.1611 and CentOS 8.9.2003 are pointing to the repo containing patches for 7.9.2009. Should I now configure the vault repos on the 7.3 and 8.9 boxes to point to their matching versions ?


Thank you !
Last edited by fuzzy4096 on 2021/03/02 13:17:18, edited 1 time in total.

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: confusion about CESA in CentOS

Post by tunk » 2021/03/02 12:46:12

Only the latest version is supported, i.e. getting updates.
E.g. 7.3-1611 hasn't got any updates since 7.4-1708 was
released 3.5 years ago.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: confusion about CESA in CentOS

Post by TrevorH » 2021/03/02 13:10:13

b) Since I know that CentOS provides updates for the latest minor version in a given branch, the CentOS 7.3.1611 and CentOS 8.9.2003 are pointing to the repo containing patches for 7.9.2009. Should I now configure the vault repos on the 7.3 and 8.9 boxes to point to their matching versions ?
The words "does not" are missing from "Since I know that CentOS provides updates".

Only the current version is supported and any previous ones will be updated to the current point release when you tun yum update.

Do not run 7.3 as it's 4 years out of date.

You should not be seeing or updating a CentOS 7 machine with updates for 8. If your scan is reporting an 8 fix missing on a 7 box then the scan is wrong.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fuzzy4096
Posts: 12
Joined: 2020/12/14 16:29:11

Re: confusion about CESA in CentOS

Post by fuzzy4096 » 2021/03/02 13:21:53

The words "does not" are missing from "Since I know that CentOS provides updates".

I'm confused now. So if in CentOS 7 (the major version) the last minor version (that is 7.9.2009 for CentOS 7) is the one and only getting updates. So isn't the above equal to
Only the current version is supported and any previous ones will be updated to the current point release when you tun yum update.
? I mean 7.9.2009 is the current version, correct ?

You should not be seeing or updating a CentOS 7 machine with updates for 8. If your scan is reporting an 8 fix missing on a 7 box then the scan is wrong.
That's my fault, I've made a typo.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: confusion about CESA in CentOS

Post by TrevorH » 2021/03/02 13:40:29

The way I read your original post may have been wrong so let's clarify.

Only the current version of CentOS 7 or CentOS 8 is supported and gets updates. That's now 7.9 and 8.3. CentOS 8 is supported until the end of this year, 2021, CentOS 7 is supported until 2024. A yum update on either will update you to the latest version available within that version (i.e 7 is not upgraded to 8).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fuzzy4096
Posts: 12
Joined: 2020/12/14 16:29:11

Re: confusion about CESA in CentOS

Post by fuzzy4096 » 2021/03/02 16:14:14

Okay, so 7.4-1708 was released 3.5 years ago, so August 2017, yes so it's 3,5 years ago.

What about 7.8.2003 ? How to read 2003 ?

I've found this:
Since minor versions of CentOS are point in time releases of a major branch, starting with CentOS-7, we are now using a date code in our minor versions. So you will see CentOS-7 (1406) or CentOS-7 (1503) as a version. This way anyone can know, from the release, when it happened. In the above examples, the minor versions 1406 means June 2014 and 1503 means March 2015. In older major branches of CentOS, such as CentOS-6, we numbered things differently
Thanks !

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: confusion about CESA in CentOS

Post by TrevorH » 2021/03/02 16:57:16

2003 is yymm, 2020-03
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply