CentOS Security Update

Home » CentOS » CentOS Security Update
CentOS 14 Comments

Hi,

I was using CentOS 7 and when I ran some custom commercial security scan on my machine, I found about 122 vulnerabilities.

Can you help me on how to get security upgrades on top of my existing CentOS?

# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core)

Thanks for the help.

14 thoughts on - CentOS Security Update

  • 2015-04-24 12:21 GMT+03:00 Venkateswara Rao Dokku :

    … and most of them are misconfiguration(s) of your os and some possibly false positives.

    use yum to apply latest security patches and then fix misconfiguration of os services and reboot machine & rescan

  • The short answer: ‘yum update’

    The long answer: nearly all commercial scanners test via version number, not actual vulnerabilities. You can take the list of ‘vulnerable’
    packages and the related CVEs and ‘rpm -q –changelog | grep
    -i cve’ to see that it’s been addressed.

    Alternatively, upstream maintains a cve database at https://access.redhat.com/security/cve/ where you can search the CVE and match related (or newer) versions.

    I have a very long profanity-laden rant about commercial scanning software and practices that I’ll spare folks from. TL;DR it’s all terrible, and the vendors have little to no incentive for fixing it.

    Note: we (CentOS) do not validate CVE closure separately. We rebuild source provided by RH, assuming that they have done the due diligence.

  • 2015-04-24 15:31 GMT+03:00 Jim Perrin :

    Usually security scanners like nessus, openvas .. detect os misconfigurations like weak ciphers and some basic os misconfigurations

    “easy” way to get PASS result is usually just turn off version numbers from services and disable weak ciphers like sslv3, sslv2 and so on…

  • You will need to address each individual issue as one event an track it.

    Most security software for ubuntu does not understand the concept of Red hat backporting:

    https://access.redhat.com/security/updates/backporting/

    Therefore, to check CentOS or RHEL properly for security issues, the software need to be designed to understand what version of a package that Red hat fixed an issue in via their backport .. not how it was fixed in the main upstream project code.

    As an example, here is CVE-2014-0226:

    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226

    Red Hat fixes that in these updates:

    EL5 and EL6:
    https://rhn.redhat.com/errata/RHSA-2014-0920.html

    EL7:
    https://rhn.redhat.com/errata/RHSA-2014-0921.html

    That means, because of backporting, this issue is fixed in:

    EL5:
    httpd-2.2.3-87.el5_10.src.rpm

    EL6:
    httpd-2.2.15-31.el6_5.src.rpm

    EL7:
    httpd-2.4.6-18.el7_0.src.rpm

    If you look at the apache web page for vulnerabilities for httpd 2.2
    (http://httpd.apache.org/security/vulnerabilities_22.html) and if you you search for CVE-2014-0226 you will find it is fixed in version 2.2.28
    upstream .. but Red Hat fixed it in versions 2.2.3-87 and in version
    2.2.15.

    If your software thinks that in order to be protected for CVE-2014-0226
    that you need version 2.2.28 opr higher apache, then your software kicks out a fail in EL5 if you have version httpd-2.2.3-87 .. but it is NOT a fail. So, bottom line, your software has to know how Red Hat did backports for EL via backporting or it will give false positives.

    The same is true for EL7 too .. apache fixes CVE-2014-0226 in 2.4.10 .. Red Hat fixes it in httpd-2.4.6-18.el7_0 .. software needs to know
    2.4.10 is not needed because of a backport.

  • Am 24.04.2015 um 11:21 schrieb Venkateswara Rao Dokku:

    That’s why those scans are wasted money. From a security management point of view they neither help you nor your manager.

    Regards

    Alexander

  • John R Pierce wrote:

    I would be more interested if the OP had mentioned *what* “custom commercial security scan” tool they’d used.

  • Thanks for the replies. The tool that we used for testing the security vulnerability is “Nessus”.

    I have glibc version 2.17-78.el7, I saw that CVE-2015-0235 (Ghost) is fixed in this version and I want to apply patch for the vulnerbailities CVE-2015-1472 & CVE-2015-1473. Can you please help me in finding the right version that has fixes for these?

    Thanks

  • You have the latest glibc package available.

    Checking upstream, Red Hat has their CVE information here:

    https://access.redhat.com/security/cve/CVE-2015-1472
    https://access.redhat.com/security/cve/CVE-2015-1473

    If you look at the CVE page for the Ghost vulnerability
    (https://access.redhat.com/security/cve/CVE-2015-0235) it links to any security advisories which would include an update. Both 1472 and 1473
    are marked as ‘Low’ impact so I suspect there won’t be any updated package to address it until later.

    I would STRONGLY suggest against attempting to build your own glibc.

  • This reminds me about old times when RedHat was backporting security patches to older versions of software (whenever applicable) thus keeping the system secure, yet keeping all relying on software internals (which may change with version) still working. This kind of makes “security analyzers” relying on software versions more misleading than helpful. Especially if the sysadmin does his job (sometimes we had to keep older version in place working around some vulnerability to have our system not vulnerable – e.g. turned off ciphers in case of “poodle”). I am not saying anything about Nessus which I never used.

    Having a good system, fully updated ( unnecessary services turned of, etc. all done according to securing system checklist) would be the best thing to have. Those security tools… I wish none of good sysadmins has less knowledgeable supervisor armed with one or few of these vulnerability checkers ;-)

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Hi,

    I have php 5.4.16 php in my CentOS 7 machine & when I searched over internet I could see it is effected by some vulenrabilities. So I wanted to upgrade my PHP to 5.6.x, but did not find procedure for it.

    When I tried yum upgrade php, it says “no packages marked for update”

    Can you please give me some pointers so that I can continue.