CVE-2011-3192 rpms for CentOS 5 still pending?
 

According to the CentOS-CR-Announce list, there is recently an update
for httpd in CentOS 5 CR repo. But the announcement
http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.html
refers to upstream RHBA-2011-1067, which is the version released with
5.7 base packages. Upstream has an update for CVE-2011-3192 whose
announcement is RHSA-2011-1245, and this update of httpd has version
number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo
(2.2.3-53.el5.centos). Maybe there should be another update for httpd
in CentOS 5 CR repo.
BTW, any update on C6.1 (or 6.0 CR packages)?

Regards.
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel

CVE-2011-3192 rpms for CentOS 5 still pending?
 

On 07/09/11 05:20, dfrg.msc wrote:
> According to the CentOS-CR-Announce list, there is recently an update
> for httpd in CentOS 5 CR repo. But the announcement
> http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.html
> refers to upstream RHBA-2011-1067, which is the version released with
> 5.7 base packages. Upstream has an update for CVE-2011-3192 whose
> announcement is RHSA-2011-1245, and this update of httpd has version
> number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo
> (2.2.3-53.el5.centos). Maybe there should be another update for httpd
> in CentOS 5 CR repo.
> BTW, any update on C6.1 (or 6.0 CR packages)?
>
> Regards.


Please see this extremely lengthy thread for an explanation as to why
this is confusing:

http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html

You can not go by the package name-version-release string alone as
CentOS change this. Try examining the changelog and look for the above
CVE's.

_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel

CVE-2011-3192 rpms for CentOS 5 still pending?
 

On Wed, Sep 7, 2011 at 7:38 AM, Ned Slider <ned@unixmail.co.uk> wrote:
> On 07/09/11 05:20, dfrg.msc wrote:
>> According to the CentOS-CR-Announce list, there is recently an update
>> for httpd in CentOS 5 CR repo. But the announcement
>> http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.html
>> refers to upstream RHBA-2011-1067, which is the version released with
>> 5.7 base packages. Upstream has an update for CVE-2011-3192 whose
>> announcement is RHSA-2011-1245, and this update of httpd has version
>> number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo
>> (2.2.3-53.el5.centos). Maybe there should be another update for httpd
>> in CentOS 5 CR repo.
>> BTW, any update on C6.1 (or 6.0 CR packages)?
>>
>> Regards.
>
>
> Please see this extremely lengthy thread for an explanation as to why
> this is confusing:
>
> http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html
>
> You can not go by the package name-version-release string alone as
> CentOS change this. Try examining the changelog and look for the above
> CVE's.
>


I think the sender was meaning about the RHBA/RHSA numbers.
If the referred CR package contains both the RHBA-2011-1067 and
RHSA-2011-1245 I think they should be both present in the body of the
announce message, so also the link:
http://rhn.redhat.com/errata/RHSA-2011-1245.html

Gianluca

BTW: +1 for the question about CentOS 6.1 and 6.0CR updates..
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel

CVE-2011-3192 rpms for CentOS 5 still pending?
 

2011/9/7 Ned Slider <ned@unixmail.co.uk>:
> On 07/09/11 05:20, dfrg.msc wrote:
>> According to the CentOS-CR-Announce list, there is recently an update
>> for httpd in CentOS 5 CR repo. But the announcement
>> http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.html
>> refers to upstream RHBA-2011-1067, which is the version released with
>> 5.7 base packages. Upstream has an update for CVE-2011-3192 whose
>> announcement is RHSA-2011-1245, and this update of httpd has version
>> number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo
>> (2.2.3-53.el5.centos). Maybe there should be another update for httpd
>> in CentOS 5 CR repo.
>> BTW, any update on C6.1 (or 6.0 CR packages)?
>>
>> Regards.
>
>
> Please see this extremely lengthy thread for an explanation as to why
> this is confusing:
>
> http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html
>
> You can not go by the package name-version-release string alone as
> CentOS change this. Try examining the changelog and look for the above
> CVE's.
>
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel@centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel
>

I understand. So there is already CVE-2011-3192 rpms uploaded to
CentOS 5 CR repo, but no announcement posted yet.
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel

CVE-2011-3192 rpms for CentOS 5 still pending?
 

Am 07.09.2011 um 15:11 schrieb dfrg.msc:
> 2011/9/7 Ned Slider <ned@unixmail.co.uk>:
>> On 07/09/11 05:20, dfrg.msc wrote:
>>> According to the CentOS-CR-Announce list, there is recently an update
>>> for httpd in CentOS 5 CR repo. But the announcement
>>> http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.html
>>> refers to upstream RHBA-2011-1067, which is the version released with
>>> 5.7 base packages. Upstream has an update for CVE-2011-3192 whose
>>> announcement is RHSA-2011-1245, and this update of httpd has version
>>> number 2.2.3-53.el5_7.1, which is higher than that in C5 CR repo
>>> (2.2.3-53.el5.centos). Maybe there should be another update for httpd
>>> in CentOS 5 CR repo.
>>> BTW, any update on C6.1 (or 6.0 CR packages)?
>>>
>>> Regards.
>>
>>
>> Please see this extremely lengthy thread for an explanation as to why
>> this is confusing:
>>
>> http://lists.centos.org/pipermail/centos-devel/2011-May/007477.html
>>
>> You can not go by the package name-version-release string alone as
>> CentOS change this. Try examining the changelog and look for the above
>> CVE's.
>>
> I understand. So there is already CVE-2011-3192 rpms uploaded to
> CentOS 5 CR repo, but no announcement posted yet.


Thats correct:

rpm -qp --changelog http://mirror.centos.org/centos-5/5/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos.1.x86_64.rpm | head


--
LF


_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel

CVE-2011-3192 rpms for CentOS 5 still pending?
 

On Wed, Sep 7, 2011 at 5:27 PM, Leon Fauster wrote:

> Thats correct:
>
> rpm -qp --changelog http://mirror.centos.org/centos-5/5/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos.1.x86_64.rpm | head

If a CentOS package contains aggregated upstream sequentially provided
corrections, I think it is desirable to have all of the related
RHSA/RHBA/RHEA links mentioned in the body of the related CentOS
announce mail message.
Just my opinion to provide better service.

Gianluca
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel

CVE-2011-3192 rpms for CentOS 5 still pending?
 

On Wed, 7 Sep 2011 09:22:49 +0200
Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:

> Gianluca
>
> BTW: +1 for the question about CentOS 6.1 and 6.0CR updates..

On an earlier thread KB mentioned that status updates would be made to the
dev qa page only: http://qaweb.dev.centos.org/qa/

There's a comment to the CentOS 6.1 status update message from Thurs 1 Sept
from Fabian A. that says
CentOS 6.1 current status : 16 packages still don't built/link like they
should. So no installable tree/ISO is currently available for the QA team to
test. no ETA for that

I have the page bookmarked.

Cia W.
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel

CVE-2011-3192 rpms for CentOS 5 still pending?
 

On Wed, Sep 7, 2011 at 5:53 PM, Cia Watson wrote:

> On an earlier thread KB mentioned that status updates would be made to the
> dev qa page only: http://qaweb.dev.centos.org/qa/
>
> There's a comment to the CentOS 6.1 status update message from Thurs 1 Sept
> from Fabian A. that says
> CentOS 6.1 current status : 16 packages still don't built/link like they
> should. So no installable tree/ISO is currently available for the QA team to
> test. no ETA for that
>
> I have the page bookmarked.

I have that page constantly opened in a dedicated tab too... but I
cannot post comments on that page... can I register for this?
In my opinion packages that are iso blockers don't necessarily mean a
block for 6.0 CR realization but probably it depends on which kind of
packages have problems... information that I don't have...
If I understood correctly its aim, CR generation should have a little
higher priority than perfect/final installable iso... or not?

Gianluca
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel

CVE-2011-3192 rpms for CentOS 5 still pending?
 

On 09/07/2011 04:33 PM, Gianluca Cecchi wrote:
> On Wed, Sep 7, 2011 at 5:27 PM, Leon Fauster wrote:
>
>> Thats correct:
>>
>> rpm -qp --changelog http://mirror.centos.org/centos-5/5/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos.1.x86_64.rpm | head
>
> If a CentOS package contains aggregated upstream sequentially provided
> corrections, I think it is desirable to have all of the related
> RHSA/RHBA/RHEA links mentioned in the body of the related CentOS
> announce mail message.
> Just my opinion to provide better service.

A CentOS rpm only contains exactly what was in the corresponding srpm
released upstream. The only changes are to branding.

- KB
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel

CVE-2011-3192 rpms for CentOS 5 still pending?
 

On Wed, Sep 7, 2011 at 6:31 PM, Karanbir Singh wrote:
> On 09/07/2011 04:33 PM, Gianluca Cecchi wrote:
>> On Wed, Sep 7, 2011 at 5:27 PM, Leon Fauster wrote:
>>
>>> Thats correct:
>>>
>>> rpm -qp --changelog http://mirror.centos.org/centos-5/5/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos.1.x86_64.rpm | head
>>
>> If a CentOS package contains aggregated upstream sequentially provided
>> corrections, I think it is desirable to have all of the related
>> RHSA/RHBA/RHEA links mentioned in the body of the related CentOS
>> announce mail message.
>> Just my opinion to provide better service.
>
> A CentOS rpm only contains exactly what was in the corresponding srpm
> released upstream. The only changes are to branding.

Ok, so let us see if I have now understood:

1) RH EL 5.7 official has httpd 2.2.3-53.el5.ia64.rpm at 21/07
and link to https://rhn.redhat.com/errata/RHBA-2011-1067.html in announcement

2) CentOS 5.7 iso not released yet, but when released it will contain
the same rpm (apart from branding things) as upstream
and an e-mail announcement in centos-announce will contain same link as 1)
so package name will be probably httpd-2.2.3-53.el5.centos.x86_64.rpm

3) upstream releases a further update to the package
2.2.3-53.el5_7.1.ia64.rpm at 31/08
and link to http://rhn.redhat.com/errata/RHSA-2011-1245.html

4) CentOS 5.6 CR has been released at 15/08 and at 01/09 releases a
package named httpd-2.2.3-53.el5.centos.x86_64.rpm
with the same link as 1) for RHBA because has been build from upstream
5.7 release and this will probably be the rpm presnet inside iso image
BTW: the link Leon provided in his e-mail was to a next released
CentOS httpd (notice the .1 in its name.. this was misleading for
me... ;-)

5) On mirror under CR folder there are now (07/09):
httpd-2.2.3-53.el5.centos.1.x86_64.rpm (dated 01/09??)
httpd-2.2.3-53.el5.centos.x86_64.rpm (dated 05/09...)

[gcecchi@tekkaman ~]$ rpm -qp --changelog
http://mirror.centos.org/centos-5/5.6/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos.x86_64.rpm
| head
warning: http://mirror.centos.org/centos-5/5.6/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos.x86_64.rpm:
Header V3 DSA/SHA1 Signature, key ID e8562897: NOKEY
* Sat Aug 20 2011 Karanbir Singh <kbsingh@centos.org> - 2.2.3-53.el5.centos
- Roll in CentOS Branding

* Fri Jun 17 2011 Joe Orton <jorton@redhat.com> - 2.2.3-53
- mod_cache: add "hard" argument to CacheMaxExpire (#379811)

* Thu May 12 2011 Joe Orton <jorton@redhat.com> - 2.2.3-52
- mod_include: fix parsing across bucket boundaries (#698402)

* Fri Apr 15 2011 Joe Orton <jorton@redhat.com> - 2.2.3-50

(build date is "Build Date: Fri 19 Aug 2011 05:22:46 PM CEST")

[gcecchi@tekkaman ~]$ rpm -qp --changelog
http://mirror.centos.org/centos-5/5.6/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos.1.x86_64.rpm
|head
warning: http://mirror.centos.org/centos-5/5.6/cr/x86_64/RPMS/httpd-2.2.3-53.el5.centos.1.x86_64.rpm:
Header V3 DSA/SHA1 Signature, key ID e8562897: NOKEY
* Thu Sep 01 2011 Karanbir Singh <kbsingh@centos.org> - 2.2.3-53.el5.centos.1
- Roll in CentOS Branding

* Wed Aug 31 2011 Joe Orton <jorton@redhat.com> - 2.2.3-53.1
- add security fix for CVE-2011-3192 (#733059)

(build date is "Build Date: Thu 01 Sep 2011 02:23:54 AM CEST")

SO I think that the CR announce at
http://lists.centos.org/pipermail/centos-cr-announce/2011-September/000293.html
contains only 5.7 rpm version, and correctly only the link to
https://rhn.redhat.com/errata/RHBA-2011-1067.html

while the CR announce for httpd-2.2.3-53.el5.centos.1.x86_64.rpm has
to be sent yet (at least to the archives of centos-cr-announce) and
will contain the link
http://rhn.redhat.com/errata/RHSA-2011-1245.html

and so it will be for a further announcement in official
centos-announce mailing list when 5.7 and its official updates will be
released.
HIH clarification for other guys too...
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel