Re: [SCIENTIFIC-LINUX-USERS] Software Collections 1.0 is available for SL 6 (fwd)
On 2014-04-25 23:27, Pat Riehecky wrote: > On 04/25/2014 10:27 AM, olli hauer wrote: >> On 2014-04-25 15:25, Pat Riehecky wrote: >>> On 04/24/2014 04:21 PM, Orion Poplawski wrote: On 10/17/2013 02:27 PM, Connie Sieh wrote: > -- Forwarded message -- > Date: Thu, 17 Oct 2013 15:25:39 -0500 > From: Connie Sieh > To: cs...@fnal.gov > Subject: Software Collections 1.0 is available for SL 6 > > The following TUV "software collection" products are now available for SL > 6. > > A README with info about yum repos for these packages is available from > ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti > ons/README Any chance of yum-conf-softwarecollections ending up in the main SL repos? >>> That's an interesting idea. Lets take it to the devel list and see what >>> people think. >> @me not subscribed to the devel@ list so giving my rant here. >> >> The versions provided in softwarecollections have almost already known >> vulnerabilities. >> >> Picking only the latest CVE entires retrieved after softwarecollections >> publish date. >> >> php-5.4: CVE-2013-6420 >> postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 >> CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067 >> python27 / python33: CVE-2014-1912 >> ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 >> CVE-2013-6417 >> >> Until the collection gets more notice from upstream I don't think it is a >> good idea to provide yum-conf-softwarecollection. >> > > Yikes! > > Any one report these CVEs to upstream to make sure they didn't get misplaced? > > Pat > Hi Pat, perhaps I was to fast with my rant ... Anyway comparing upstream checksums with the SC collection will not work and for external products I cannot find repoview files Since I have the next days no SC console available I can only check if there are already existing upstream erratas. For example: php-5.4: https://access.redhat.com/security/cve/CVE-2013-6420 https://rhn.redhat.com/errata/RHSA-2013-1815.html CVE: CVE-2013-6420 RHSA: RHSA-2013:1815-1 Issued on: 2013-12-11 Updated packages: php54-php-5.4.16-7.el6.1.x86_64.rpm -> rpm version match the on on SC so rpm should be fine. So I will ask if it is possible to generate errata files for the packages in 6x/softwarecollection that can be used later for example in spacewalk? -- Sorry for the noise, I will next time do a better research. olli
Re: [SCIENTIFIC-LINUX-USERS] Software Collections 1.0 is available for SL 6 (fwd)
On 04/25/2014 10:27 AM, olli hauer wrote: On 2014-04-25 15:25, Pat Riehecky wrote: On 04/24/2014 04:21 PM, Orion Poplawski wrote: On 10/17/2013 02:27 PM, Connie Sieh wrote: -- Forwarded message -- Date: Thu, 17 Oct 2013 15:25:39 -0500 From: Connie Sieh To: cs...@fnal.gov Subject: Software Collections 1.0 is available for SL 6 The following TUV "software collection" products are now available for SL 6. A README with info about yum repos for these packages is available from ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti ons/README Any chance of yum-conf-softwarecollections ending up in the main SL repos? That's an interesting idea. Lets take it to the devel list and see what people think. @me not subscribed to the devel@ list so giving my rant here. The versions provided in softwarecollections have almost already known vulnerabilities. Picking only the latest CVE entires retrieved after softwarecollections publish date. php-5.4: CVE-2013-6420 postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067 python27 / python33: CVE-2014-1912 ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 CVE-2013-6417 Until the collection gets more notice from upstream I don't think it is a good idea to provide yum-conf-softwarecollection. Yikes! Any one report these CVEs to upstream to make sure they didn't get misplaced? Pat -- Pat Riehecky Scientific Linux developer http://www.scientificlinux.org/
Re: [SCIENTIFIC-LINUX-USERS] Software Collections 1.0 is available for SL 6 (fwd)
On 2014-04-25 15:25, Pat Riehecky wrote: > On 04/24/2014 04:21 PM, Orion Poplawski wrote: >> On 10/17/2013 02:27 PM, Connie Sieh wrote: >>> -- Forwarded message -- >>> Date: Thu, 17 Oct 2013 15:25:39 -0500 >>> From: Connie Sieh >>> To: cs...@fnal.gov >>> Subject: Software Collections 1.0 is available for SL 6 >>> >>> The following TUV "software collection" products are now available for SL 6. >>> >>> A README with info about yum repos for these packages is available from >>> ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti >>> ons/README >> >> Any chance of yum-conf-softwarecollections ending up in the main SL repos? >> >> > > That's an interesting idea. Lets take it to the devel list and see what > people think. @me not subscribed to the devel@ list so giving my rant here. The versions provided in softwarecollections have almost already known vulnerabilities. Picking only the latest CVE entires retrieved after softwarecollections publish date. php-5.4: CVE-2013-6420 postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067 python27 / python33: CVE-2014-1912 ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 CVE-2013-6417 Until the collection gets more notice from upstream I don't think it is a good idea to provide yum-conf-softwarecollection. -- Regards, olli
Re: [SCIENTIFIC-LINUX-USERS] Software Collections 1.0 is available for SL 6 (fwd)
On 04/24/2014 04:21 PM, Orion Poplawski wrote: On 10/17/2013 02:27 PM, Connie Sieh wrote: -- Forwarded message -- Date: Thu, 17 Oct 2013 15:25:39 -0500 From: Connie Sieh To: cs...@fnal.gov Subject: Software Collections 1.0 is available for SL 6 The following TUV "software collection" products are now available for SL 6. A README with info about yum repos for these packages is available from ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti ons/README Any chance of yum-conf-softwarecollections ending up in the main SL repos? That's an interesting idea. Lets take it to the devel list and see what people think. Pat -- Pat Riehecky Scientific Linux developer http://www.scientificlinux.org/