Patch Lists

[Back4Breakfast]

Hi All

Newbie question but for PCI DSS, I need to find a vendor list of patches available for CentOS7. I've hunted the main site for hours and can find several FAQs on how to check what patches are available, but I need a list provided by the CentOS developers that shows all patches so I can correlate them with the servers I'm reviewing.

Any ideas where I can find the elusive patch list?

Many Thanks

[TrevorH]

I really doubt if such a thing exists.

[Back4Breakfast]

Ahhh that's a bummer. Wonder how many people are able to use CentOS then for PCI Requirement 6.2. Is it just version 7 that doesn't have a list 8 does? Or is just something that isn't done across the board?

[TrevorH]

CentOS doesn't track or produce CVE lists which means that for example, yum update --security does not work.

For CentOS, the only way to operate is to assume that all updates are for security purposes and put them all on ASAP.

[Back4Breakfast]

Ah ok - makes sense. I think I may have to sample something different then. I believe CentOS is classed as an OS that is not prone to malware etc. Its a shame as last year CentOS5 did have a link - https://www.centos.org/docs/5/html/Depl ... dates.html - but that's dead and that's version 5 so guessing it wasn't a list of updates but more how to find what is missing?

Thanks for your help though - very much appreciated!

[TrevorH]

That link for el5 is most likely copied from the upstream RHEL 5 docs and was never valid. No version of CentOS has ever shipped the security metadata necessary for the yum-security package to function. That's only available on RHEL.

[Back4Breakfast]

Cool thanks for that - most helpful. I'll revise the Sample accordingly.