Re: [SCIENTIFIC-LINUX-USERS] Using yum to apply security patches (CVE-2014-9322)

Tue, 27 Jan 2015 07:12:07 -0800 

Hello,

I appreciate your interest in the yum-security plugin!
For SL 5, we do not currently build the relevant yum metadata for the yum-security plugin. 

Pat

On 01/27/2015 09:03 AM, D Laff wrote:

I am working my way around a number of 5.x and 6.x systems to address 
CVE-2014-9322:

https://www.scientificlinux.org/sl-errata/slsa-20142008-1/

https://www.scientificlinux.org/sl-errata/slsa-20141997-1/

In doing this, I have become a little more familiar with the security plugin 
for yum.

On my systems, following a typical requirement for the installation of this 
plugin, I query the requirement for patches for the given CVE:

---
(eg)


yum list updates --cve=CVE-2014-9322

Loaded plugins: refresh-packagekit, security
Limiting package lists to security relevant ones
5 package(s) needed for security, out of 164 available
Updated Packages
kernel.x86_64                                                  
2.6.32-504.3.3.el6                                             sl-security
....
....
---

This is what I expect as my kernel is below the "fixed by" release listed 
against the given CVE for SL 6.x (-504).

However, when undertaking similar diagnostics on my 5.x systems I am being 
informed that there are no patches applicable for the given CVE

---
(eg)


yum --cve CVE-2014-9322 info updates

Loaded plugins: kernel-module, security
Limiting package lists to security relevant ones
CVE "CVE-2014-9322" not found applicable for this system
No packages needed, for security, 323 available
---

(eg)


yum info-security SLSA-2014:2008-1

Argument "SLSA-2014:2008-1" not found applicable for this system

---

This isn't what I expect as my kernel version is below the "fixed by" release 
listed against the given CVE for SL 5.x (-400).

I'm concerned that I'm using yum incorrectly, and missing out on important 
security patches (in this instance for the given CVE).

However, it might be that the systems in question are actually patched / not 
vulnerable, but in a way which I don't understand (and, if possible, I'd like 
to!).

Any guidance or insight would be much appreciated.

Thanks in advance . . .


--
Pat Riehecky
Scientific Linux developer

Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org

Reply via email to