Generic question about Fedora CVEs and their impact on RHEL & CentOS

Issues related to applications and software problems and general support
Joe_475
Posts: 6
Joined: 2021/11/17 18:24:13

Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by Joe_475 » 2021/11/17 19:40:13

Hello to the CentOS community!

Looking at the different linux distros, I am getting interested to the RHEL / CentOS branch (if that's a correct word to use), and try to figure out something about CVEs impacting these distributions.

I understand that Fedora is upstream from RHEL and therefore from CentOS, but I just wonder what's the impact of Fedora CVEs on RHEL & CentOS? Are Fedora CVE impacting RHEL / CentOS as well?

The idea is to have an overview of the actual exposure of CentOS in terms of vulnerabilities, as opposed to other distros such as Debian & Ubuntu. The CVE home website (https://cve.mitre.org/) doesn't recommend to use an OS as a key word for search, as they say the results would not be complete and would certainly miss some results, but that may give a rough idea. There is also the fact that a distro such as Ubuntu will have thousands of CVE, it must be also linked somehow to the size of its user base, but at the end of the day, there seems to be a significant different with CentOS.

So, how does CentOS compare with Debian, Fedora etc in terms of vulnerabilities?

Many thanks!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by TrevorH » 2021/11/17 20:08:25

To the best of my knowledge there are no specific Fedora CVEs. There are CVEs against packages that are included in Fedora but that doesn't make them specific to Fedora, they are for anyone running an affected version of whatever package it is. So a CVE that affects Fedora can also affect RHEL/CentOS if we package and ship an affected version of a package.

Red Hat have CVE pages you can look at. These are of the form https://access.redhat.com/security/cve/CVE-yyyy-nnnn and you just pluf your CVE number in that.

Fedora isn't really upstream from RHEL, it's more like a 2nd cousin.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by jlehtone » 2021/11/17 21:52:52

Joe_475 wrote:
2021/11/17 19:40:13
So, how does CentOS compare ...
First, I don't know those other ones.

Second, there are currently two "CentOS".
* CentOS Stream, which is upstream of RHEL. A preview of what next RHEL releases might/will contain. Stream can get content from many sources, but mostly continues its own forks with backporting.
* CentOS Linux, which is downstream of RHEL. A rebuild of public RHEL sources. Now deprecated. AlmaLinux and Rocky Linux are new projects that have same goal as CentOS Linux.

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by sml » 2021/11/18 14:41:07

If you just want to browse the latest security fixes for Fedora, RHEL, CentOS, etc. an easy way to do it is
https://lwn.net/Alerts/Fedora
https://lwn.net/Alerts/CentOS
https://lwn.net/Alerts/Red_Hat
https://lwn.net/Alerts/Oracle
and so on.

I don't think you can reasonably compare Fedora to CentOS. OTOH, you can compare say CentOS to OEL.

Repology.org has some statistics, but they should be taken with a grain, no, with a pound of salt as they are being collected automatically.

Beside the link provided by Trevor, bugs in Red Hat Bugzilla have CVE id set as an alias so it can be used for direct access: https://bugzilla.redhat.com/show_bug.cg ... 2021-40330

Then there's the rhsa-announce mailing list.
Last edited by sml on 2021/11/19 21:29:21, edited 1 time in total.

Joe_475
Posts: 6
Joined: 2021/11/17 18:24:13

Re: Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by Joe_475 » 2021/11/18 15:56:37

Many thanks TrevorH, jlehtone and sml for your quick replies, and the provided info!

From Trevor's message and the link to RHEL CVE's, data shows over 9000 CVE's, 2400+ of which are critical. That's a significant number, even if I assume all of them are not actively exploited.

My search is about getting a linux distro at home that I could use & harden to practice security skills that would be useful in a professional context (ie. to underpin data protection/privacy program management or infosec GRC).

I have tried for a year and a half now some other distros (not naming them again here... ^^) and started to look at CentOS/Rhel recently. The fact that there is now CentOS stream (upstream from RHEL) somehow changes what I was expecting from CentOS, so Rocky or Alma, and even OEL as mentioned by sml, would be the options for me. I may end up picking one of those to use them as a sandbox for me to get familiar with the RHEL family of products.

Just wondering if you'd have some thoughts, advice or resources about starting that?

I found this page on Red Hat, which seems quite useful and might help with Rocky/Alma/OEL I hope
https://access.redhat.com/documentation ... -hardening

Cheers

Joe_475
Posts: 6
Joined: 2021/11/17 18:24:13

Re: Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by Joe_475 » 2021/11/19 08:21:26

Just a quick message after my update from yesterday to say I'll go with Almalinux.

Quite interesting to find out that Almalinux 8 has its CIS Benchmark published, which is a very good signal I believe for this distro.

Many thanks to all for your help and have a great day!

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by sml » 2021/11/19 08:29:08

Joe_475 wrote:
2021/11/18 15:56:37
From Trevor's message and the link to RHEL CVE's, data shows over 9000 CVE's, 2400+ of which are critical. That's a significant number, even if I assume all of them are not actively exploited.
No, you cannot count them like this. It shows CVEs affecting all versions of all variants of all Red Hat products. To get a better impression, select Security Advisories, then Red Hat Enterprise Linux as product and Red Hat Enterprise Linux for x86_64 as variant.

This currently gives me 22 critical security advisories. 20 of them apply to RHEL 8.4 EUS.

Joe_475
Posts: 6
Joined: 2021/11/17 18:24:13

Re: Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by Joe_475 » 2021/12/02 20:33:07

Many thanks to sml for the additional and very useful input ! And sorry for the late reaction on my side, I thought my thread would not get further responses, it's a bit unusual for me to see to many people helping :D

Actually, I feel like trying RHEL first - I think the first 30 days are free, in order to know the genuine RHEL experience, and then move to AlmaLinux as I would for the moment use it at home.

Many thanks again (and I'll add notifications to my account too :-))

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by TrevorH » 2021/12/02 20:57:03

With a developer subscription, you get a free license for up to 16 instances of RHEL. The sub lasts for a year and then can be renewed for another year (repeat).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Joe_475
Posts: 6
Joined: 2021/11/17 18:24:13

Re: Generic question about Fedora CVEs and their impact on RHEL & CentOS

Post by Joe_475 » 2021/12/03 10:40:58

Many thanks Trevor for this tip about the developer subscription - actually I visited Red Hat's website yesterday but didn't I could qualify for it (not being a developer per se). However, thanks to your message, I checked the conditions and it looks indeed I can go with this option : that's great !

Have a great day everyone !

PS: in my previous message, I wrote "it's a bit unusual for me to see to many people helping" but I actually mean "so many people helping" :D

Post Reply