Is It Fine To Upgrade To CentOS 6 Rpms, Being At CentOS 5.8

Home » CentOS » Is It Fine To Upgrade To CentOS 6 Rpms, Being At CentOS 5.8
CentOS 8 Comments

Hi,

I’m currently at CentOS 5.8. After some penetration testing, found some high severity OpenSSH issues which would require its upgrade. But till CentOS 5.9 the latest rpm available is openssh-4.3p2-82.el5 (which I’m currently using).

Is it fine to upgrade to CentOS 6 rpms while I’m on CentOS 5?

Thanks, Anumeha

8 thoughts on - Is It Fine To Upgrade To CentOS 6 Rpms, Being At CentOS 5.8

  • Without going to 5.9 you will have unpatched vulnerabilities. With all the applicable patches for EL5 you should not have any vulnerabilities due to in-channel software from CentOS. That does not mean the vulnerability scanner won’t find false positives, the key is to get the CVE number of the vulnerability and searching for how Red Hat responded to the vulnerability and whether you have the CentOS equivalent of that patch.

    Mobile

  • Most “penetration testing” is done via lackadaisical auditors using automated tools that are pretty much completely worthless in the real world using Enterprise Linux as said tools are unaware of backporting policies. What “issues” were you informed of? They did provide you with CVE references?

    No, it is not possible to use C6 binary rpms on a C5 system.

    John

  • Why haven’t you updated your entire set of packages to 5.9?
    Red Hat will (or maybe already has) release patched packages — often times the patches are backported for the software versions RH supports. Meaning that just going by the version number of openssh may mislead you. When in doubt check the RH Bugzilla and CVE reports.

    You could rebuild openssh from source, but moving to CentOS 6 is a better game plan.

    See the information on the CentOS wiki (link below). http://wiki.CentOS.org/HowTos/MigrationGuide

    I cannot speak for how well these migration steps work as I opt to do a fresh install and rsync the important data to the new install.

  • 2013/3/21 Anumeha Prasad :

    Result of Nessus/Openvas scan? redhat backports security fixes, so just update to 5.9.

  • Am 21.03.2013 um 13:12 schrieb John R. Dennison :

    for more info check the openssh package deeper:

    rpm -q –changelog openssh

    or

    rpm -q –changelog openssh |grep -i cve

  • Others have already discussed backporting. Your scanner needs to understand RHEL backporting to give you correct results. See this link for an explanation of backporting:

    https://access.redhat.com/security/updates/backporting/

    And this one for a CVE database where you can verify false positives are actually fixed:

    https://access.redhat.com/security/cve/

    The answer to your other question is: No …

    Upgrading within a branch is simple, by design. CentOS-5 will get security updates until its EOL in 2017. You can upgrade any CentOS-5
    machine to the latest updates with a simple “yum upgrade” command. Any security or other issues you think you have can be verified fixed from the cve database link above.

    But moving to CentOS-6 from CentOS-5 is not easy. The versions of many things are much higher in CentOS-6. You therefore need to save off your data, do a new install of CentOS-6, move your date back on and upgrade it to the newer software. Some things will upgrade easily (most httpd, ssh, etc.) … some things will not convert easily (samba, ldap, php to name a few). Enterprise Linux upgrades between major versions
    (CentOS-5.x to CentOS-6.x) are complicated and need to be planned and tested very well, they can not be done by just a simple command.

    Thanks, Johnny Hughes

LEAVE A COMMENT