While installing Qualys scan recommended package update, I am being diverted to RedHat site.
Package Installed Version Required Version | sudo 1.8.23-4.el7.x86_64 1.8.23-4.el7_7.1.
How can i update this package "sudo 1.8.23-4.el7.x86_64" so that I can remove security vulnerabilities.
Where can I find updated repo of package 1.8.23-4.el7.x86_64
-
CaptTechno
- Posts: 4
- Joined: 2020/05/04 20:35:08
Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64
You update on CentOS by running yum update. That will offer you all pending updates, any of which could be for security purposes. The current version of sudo is sudo-1.8.23-9.el7.x86_64
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
CaptTechno
- Posts: 4
- Joined: 2020/05/04 20:35:08
Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64
Thanks for Reply @TrevorH
While resolving the vulnerability, I am being directed to CentOS link that is broken(Not exactly broken but takes me to RHEL Page)
###SOLUTION:
To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.(https://lists.centos.org/pipermail/cent ... 23499.html)
Patch:
Following are links for downloading patches to fix the vulnerabilities:
CESA-2019
centos 7(https://lists.centos.org/pipermail/cent ... 23499.html)
Also the tool is advising to upgrade to wrong package.
Package
Installed Version
sudo
1.8.23-3.el7.x86_64
Required Version
1.8.23-4.el7_7.1
While resolving the vulnerability, I am being directed to CentOS link that is broken(Not exactly broken but takes me to RHEL Page)
###SOLUTION:
To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.(https://lists.centos.org/pipermail/cent ... 23499.html)
Patch:
Following are links for downloading patches to fix the vulnerabilities:
CESA-2019
centos 7(https://lists.centos.org/pipermail/cent ... 23499.html)Also the tool is advising to upgrade to wrong package.
Package
Installed Version
sudo
1.8.23-3.el7.x86_64
Required Version
1.8.23-4.el7_7.1
Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64
And that version has been superceded by a more recent one. If you just run yum update it will offer it to you. And if you're going through security scans then you should make sure you are entirely up to date before you start as it's just going to find things that are already fixed but not on your system. So yum update _then_ scan.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64
What "tool"? What "link"?
-
CaptTechno
- Posts: 4
- Joined: 2020/05/04 20:35:08
Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64
Using Qualys tool for Vulnerability scans.
The problem persist as whatever recommendation I get is not "Actionable"
Landing to same Advisory page (https://lists.centos.org/pipermail/cent ... 35643.html)
Package Installed_Version Required_Version
sudo 1.8.23-4.el7__7.1.x86__64 1.8.23-4.el7__7.2
1.8.23-4.el7__7.2 this is not CentOS package.
The problem persist as whatever recommendation I get is not "Actionable"
Landing to same Advisory page (https://lists.centos.org/pipermail/cent ... 35643.html)
Package Installed_Version Required_Version
sudo 1.8.23-4.el7__7.1.x86__64 1.8.23-4.el7__7.2
1.8.23-4.el7__7.2 this is not CentOS package.
Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64
Again, the latest and only supported version of sudo on CentOS 7 is sudo-1.8.23-9.el7.x86_64. It contains all security updates that have previously been released in lower numbered versions.
Code: Select all
[root@centos7 ~]# yum list sudo --enablerepo=C7.\*-{base,updates} --noplugins --showdupli
Installed Packages
sudo.x86_64 1.8.23-9.el7 @qa
Available Packages
sudo.x86_64 1.8.6p7-11.el7 C7.0.1406-base
sudo.x86_64 1.8.6p7-13.el7 C7.1.1503-base
sudo.x86_64 1.8.6p7-16.el7 C7.2.1511-base
sudo.x86_64 1.8.6p7-17.el7_2 C7.2.1511-updates
sudo.x86_64 1.8.6p7-20.el7 C7.3.1611-base
sudo.x86_64 1.8.6p7-21.el7_3 C7.3.1611-updates
sudo.x86_64 1.8.6p7-22.el7_3 C7.3.1611-updates
sudo.x86_64 1.8.6p7-23.el7_3 C7.3.1611-updates
sudo.x86_64 1.8.19p2-10.el7 C7.4.1708-base
sudo.x86_64 1.8.19p2-11.el7_4 C7.4.1708-updates
sudo.x86_64 1.8.19p2-13.el7 C7.5.1804-base
sudo.x86_64 1.8.19p2-14.el7_5 C7.5.1804-updates
sudo.x86_64 1.8.23-3.el7 C7.6.1810-base
sudo.x86_64 1.8.23-4.el7 C7.7.1908-base
sudo.x86_64 1.8.23-4.el7_7.1 C7.7.1908-updates
sudo.x86_64 1.8.23-4.el7_7.2 C7.7.1908-updates
sudo.x86_64 1.8.23-9.el7 base
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
CaptTechno
- Posts: 4
- Joined: 2020/05/04 20:35:08
Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64
Thanks for your support and quick reply.
Will use your recommendations.
Will use your recommendations.
Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64
Your tool finds an email that did announce availability updated CentOS 7 sudo package.
The package and announcement were made after Red Hat had published that update for RHEL 7.7.
The email refers to Red Hat's announcement, as is proper.
Since then, Red Hat had published RHEL 7.8. Red Hat has announcements of packages that went into 7.8.
For example: https://access.redhat.com/errata/RHBA-2020:1048
CentOS has released CentOS 7 (2003) that is derived from RHEL 7.8. No announcement emails of individual packages have been generated. Your tool can't track that.
you update is and has been actionable the whole time.
There can be slight delay between RHEL release and CentOS release of an update. You are free to purchase RHEL, if that is not acceptable.
If a vulnerability is described and Red Hat has not released an update, then the rationale is on upstream (Red Hat's) documentation. (Won't fix, workaround, ...)
The package and announcement were made after Red Hat had published that update for RHEL 7.7.
The email refers to Red Hat's announcement, as is proper.
Since then, Red Hat had published RHEL 7.8. Red Hat has announcements of packages that went into 7.8.
For example: https://access.redhat.com/errata/RHBA-2020:1048
CentOS has released CentOS 7 (2003) that is derived from RHEL 7.8. No announcement emails of individual packages have been generated. Your tool can't track that.
you update is and has been actionable the whole time.
There can be slight delay between RHEL release and CentOS release of an update. You are free to purchase RHEL, if that is not acceptable.
If a vulnerability is described and Red Hat has not released an update, then the rationale is on upstream (Red Hat's) documentation. (Won't fix, workaround, ...)