On 2014-04-25 23:27, Pat Riehecky wrote: > On 04/25/2014 10:27 AM, olli hauer wrote: >> On 2014-04-25 15:25, Pat Riehecky wrote: >>> On 04/24/2014 04:21 PM, Orion Poplawski wrote: >>>> On 10/17/2013 02:27 PM, Connie Sieh wrote: >>>>> ---------- Forwarded message ---------- >>>>> Date: Thu, 17 Oct 2013 15:25:39 -0500 >>>>> From: Connie Sieh <[email protected]> >>>>> To: [email protected] >>>>> Subject: Software Collections 1.0 is available for SL 6 >>>>> >>>>> The following TUV "software collection" products are now available for SL >>>>> 6. >>>>> >>>>> A README with info about yum repos for these packages is available from >>>>> ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti >>>>> ons/README >>>> Any chance of yum-conf-softwarecollections ending up in the main SL repos? >>>> >>>> >>> That's an interesting idea. Lets take it to the devel list and see what >>> people think. >> @me not subscribed to the devel@ list so giving my rant here. >> >> The versions provided in softwarecollections have almost already known >> vulnerabilities. >> >> Picking only the latest CVE entires retrieved after softwarecollections >> publish date. >> >> php-5.4: CVE-2013-6420 >> postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 >> CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067 >> python27 / python33: CVE-2014-1912 >> ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 >> CVE-2013-6417 >> >> Until the collection gets more notice from upstream I don't think it is a >> good idea to provide yum-conf-softwarecollection. >> > > Yikes! > > Any one report these CVEs to upstream to make sure they didn't get misplaced? > > Pat >
Hi Pat, perhaps I was to fast with my rant ... Anyway comparing upstream checksums with the SC collection will not work and for external products I cannot find repoview files Since I have the next days no SC console available I can only check if there are already existing upstream erratas. For example: php-5.4: https://access.redhat.com/security/cve/CVE-2013-6420 https://rhn.redhat.com/errata/RHSA-2013-1815.html CVE: CVE-2013-6420 RHSA: RHSA-2013:1815-1 Issued on: 2013-12-11 Updated packages: php54-php-5.4.16-7.el6.1.x86_64.rpm -> rpm version match the on on SC so rpm should be fine. So I will ask if it is possible to generate errata files for the packages in 6x/softwarecollection that can be used later for example in spacewalk? -- Sorry for the noise, I will next time do a better research. olli
