On Wednesday 18 February 2015 09:58:38 Patrick Rael wrote: > For almost all CVEs of various rpms that we see there are fixed rpms for > redhat, > the fix usually goes like this: update to this rpm name-ver-rel-arch or > this version. > But we find that in CentOS we can't find that ver-rel, but we find what > appears to be > an older ver-rel, and we check the changelog and there we find the fixed > CVEs. > > From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0139 we see this: > ... > Versions 7.1 to and including 7.35.0 are affected. The flaw is fixed in > version 7.36.0 > ... > > As I look at libcurl-7.19.7-40.el6_6.4.x86_64 , I see 7.19.7 version is > much less than 7.36.0. > Am I reading it right? We have learned to just ignore the RH > "fixed-in-version" and just > check the changelog of the latest CentOS rpm pkg.
You are mixing upstream versioning with RHEL/CentOS versioning. It is true that it was fixed in upstream version 7.36.0. However, you cannot expect us to rebase curl in Enterprise Linux because of a relatively isolated security fix. We usually just cherry-pick the fixes from upstream and apply them on the enterprise version of curl. As Paul already pointed out, you need to look at the statement in Bugzilla (instead of the "Fixed In Version" field) to check whether the vulnerability is fixed in a particular version of RHEL. Kamil ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
