Bash Package For CentOS5

Home » CentOS » Bash Package For CentOS5
CentOS 2 Comments

Hi!

I have noticed, that our mirror has this package bash-3.2-33.el5_11.4.x86_64.rpm, but a lot of other mirror still have bash-3.2-33.el5_10.4.x86_64.rpm. Since bash-3.2-33.el5_11.4.x86_64.rpm was issued on 26-Sep-2014 04:28, could this be the product of slower mirror update cycles?

Regards, Mitja



Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 8877, fax: +386 1 479 88 78

2 thoughts on - Bash Package For CentOS5

  • Yes … it will take a few days for every external mirror to update … this happens when we have to push 30GB to more than 500 mirrors (at a point release time).

    One of those bash RPMs is in the 5.10 updates directory, the other is in the 5.11 updates directory. Both contain the same source code that is the latest released by Red Hat for EL5 bash right now.

    There may be another update released for this soon:

    https://access.redhat.com/security/cve/CVE-2014-7187

    But at the time of this email, there is no update for that CVE.

    If/when any new update is released, it will be built for 5.11 only.

    This may also be a good time to reiterate the CentOS update policy.

    Whenever we release a new Minor Version (in this case, 5.11), there will no longer be any updates released in the older minor version (in this case 5.10). Therefore, you must upgrade to the latest release in a major version (in this case CentOS-5, version 5.11) in order to get any updates moving forward.

    This has always been the case for all CentOS releases from the beginning
    .. to get any updates you have to be on the latest version and you should be pointing to only the major version (ie, /5/ ).

    5.11 is only 5.10+updates … if you stay at 5.10, you will get no more updates, ever.

    Also .. if people use the default setup, they only have to run ‘yum update’ to get updates .. it is automatic.

    If you (or your hosting provider) have modified the default yum configurations … then you (or your hosting provider) is responsible to figure how to get the updates you want moving forward.

    Thanks, Johnny Hughes

  • Reading that web page, it says:

    “Red Hat Product Security does not consider this bug to have any security impact on the bash packages shipped in Red Hat Enterprise Linux. A fix for this issue was applied as a hardening in RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312.”

    So… is it fixed or not? Testing with the code on https://shellshocker.net/ for CVE-2014-7187 doesn’t indicate that the latest bash update is vulnerable.

    I’m curious because you’re not the first person I’ve heard say that there are still bash updates in the works from RH/CentOS, when all my research into the published bash CVEs, RHSAs and Bugzilla reports [1]
    leads me to think there aren’t any new RHSAs forthcoming.

    Am I missing something?

    1. https://bugzilla.redhat.com/show_bug.cgi?id46804