FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-28-2011, 12:47 PM
Riccardo Veraldi
 
Default libvirt security update CVE-2011-1146

Hello,

I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6
which addresses CVE-2011-1146
vulnerability

is not yet available while for example it is on Scientific Linux.

Is there any particular reason why the above rpm update is still not
available on mirrors ?



thank you



Rick





_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 12:47 PM
Riccardo Veraldi
 
Default libvirt security update CVE-2011-1146

Hello,

I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6
which addresses CVE-2011-1146
vulnerability

is not yet available while for example it is on Scientific Linux.

Is there any particular reason why the above rpm update is still not
available on mirrors ?



thank you



Rick





_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 02:17 PM
Johnny Hughes
 
Default libvirt security update CVE-2011-1146

On 04/28/2011 07:47 AM, Riccardo Veraldi wrote:
> Hello,
> I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6 which
> addresses CVE-2011-1146
> <https://www.redhat.com/security/data/cve/CVE-2011-1146.html> vulnerability
> is not yet available while for example it is on Scientific Linux.
> Is there any particular reason why the above rpm update is still not
> available on mirrors ?
>

This was pushed, it just had a .el5 instead of .el5_6 dist tag, so it
looks older than the other update. Corrected and repushed.

Thanks,
Johnny Hughes

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-29-2011, 09:53 AM
Riccardo Veraldi
 
Default libvirt security update CVE-2011-1146

Hello,

I ask here if CentOS has a xml oval repository. This is the reason
of my question:



Actually I have an automatic system to check CVE vulnerabilities
report against RedHat OVAL resources, for example:

https://www.redhat.com/security/data/oval/com.redhat.rhsa-2011.xml**
for 2011 CVEs and RHSAs related OVALS



My problem is that while the mechanism works flawlessly regarding
Scientific Linux, with CentOS I have false positives reports

because the patch level numbers for some rpms is somewhat different
from the one written in the official RedHat OVALS.



I make an example to explain myself better:



Consider CVE-2011-0020 which corresponds to RHSA-2011:0180-1
security advisory and it regards a pango vulnerability.



RedHat calls the updated rpm which addresses the vulnerability as
pango-1.14.9-8.el5_6.2



CentOS calls it as pango-1.14.9-8.el5.centos.2



so we have:



pango-1.14.9-8.el5_6.2* in the RedHat OVALS while CentOS has
pango-1.14.9-8.el5.centos.2 and I think they both addresses the
CVE-2011-0020 vulnerability

but since the naming is different I have a report that my pango RPM
on CentOS is vulnerable, while on SL with same rpm I have no false
positives and everything is ok.



So i ask if CentOS has it's own OVAL xml files because I cannot use
i na realiable way the RedHat OVALS with CentOS for my porpouses.



thank you very much



Rick







On 4/28/11 4:17 PM, Johnny Hughes wrote:

On 04/28/2011 07:47 AM, Riccardo Veraldi wrote:


Hello,
I have seen that package libvirt-0.8.2-15.el5_6.3 on CentOS 5.6 which
addresses CVE-2011-1146
<https://www.redhat.com/security/data/cve/CVE-2011-1146.html> vulnerability
is not yet available while for example it is on Scientific Linux.
Is there any particular reason why the above rpm update is still not
available on mirrors ?




This was pushed, it just had a .el5 instead of .el5_6 dist tag, so it
looks older than the other update. Corrected and repushed.

Thanks,
Johnny Hughes




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos






_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-29-2011, 04:10 PM
Johnny Hughes
 
Default libvirt security update CVE-2011-1146

On 04/29/2011 04:53 AM, Riccardo Veraldi wrote:
> Hello,
> I ask here if CentOS has a xml oval repository. This is the reason of my
> question:
>
> Actually I have an automatic system to check CVE vulnerabilities report
> against RedHat OVAL resources, for example:
> https://www.redhat.com/security/data/oval/com.redhat.rhsa-2011.xml for
> 2011 CVEs and RHSAs related OVALS
>
> My problem is that while the mechanism works flawlessly regarding
> Scientific Linux, with CentOS I have false positives reports
> because the patch level numbers for some rpms is somewhat different from
> the one written in the official RedHat OVALS.
>
> I make an example to explain myself better:
>
> Consider CVE-2011-0020 which corresponds to RHSA-2011:0180-1 security
> advisory and it regards a pango vulnerability.
>
> RedHat calls the updated rpm which addresses the vulnerability as
> pango-1.14.9-8.el5_6.2
>
> CentOS calls it as pango-1.14.9-8.el5.centos.2
>
> so we have:
>
> pango-1.14.9-8.el5_6.2 in the RedHat OVALS while CentOS has
> pango-1.14.9-8.el5.centos.2 and I think they both addresses the
> CVE-2011-0020 vulnerability
> but since the naming is different I have a report that my pango RPM on
> CentOS is vulnerable, while on SL with same rpm I have no false
> positives and everything is ok.
>
> So i ask if CentOS has it's own OVAL xml files because I cannot use i na
> realiable way the RedHat OVALS with CentOS for my porpouses.
>

No, we don't have that .. and we can't "screen scrape" the Red Hat
content and make our own.

While the Red Hat source files are Open Source (Usually GPL, but also
other licenses) and we can rebuild their SRPMS ... their "Customer
Portals" are NOT open source. In fact, here is the terms for using
their "Customer Portals":

http://www.redhat.com/legal/legal_statement.html

"Red Hat either owns the intellectual property rights in the HTML, text,
images audio, video, software or other content that is made available on
this website, or has obtained the permission of the owner of the
intellectual property to make it available on this website. Red Hat
strictly prohibits the redistribution or copying of any part of this
website or content on this website without written permission from Red
Hat. Red Hat authorizes you to display on your computer, download and
print pages from this website provided: (a) the copyright notice appears
on all such printouts, (b) the information will not be altered, (c) the
content is only used for personal, educational and non-commercial use,
and (d) you do not redistribute or copy the information to any other
media."

Also this one:

https://access.redhat.com/site/help/terms_conditions.html

Use of Content.

Red Hat grants you a personal, non-assignable license to use Red Hat
Content for your own internal use while you are a Red Hat Customer (as
defined in Section 2 above). Distributing any portion of Red Hat Content
to a third party, using any Red Hat Content for the benefit of a third
party or using Red Hat Content in connection with software other than
Red Hat Software under an active Red Hat subscription are all
prohibited. Red Hat authorizes you to display on your computer,
download, play and print the Red Hat Content provided: (a) the copyright
notice is not removed, (b) Red Hat Content is not be altered, (c) Red
Hat Content is used only for your personal, educational and
non-commercial use in support of your active valid subscriptions to Red
Hat products and services and in accordance with your Customer
Agreement, (d) you do not further redistribute or copy Red Hat Content
and (e) you comply with any Additional Terms. In the event of a
conflict, inconsistency or difference between this Section 6 and the
terms of a License or Customer Agreement, the License or Customer
Agreement will control (for example, for Red Hat Content licensed under
a Creative Commons License, you will have the rights set forth in the
applicable Creative Commons License). If you exceed your authorized use
of Red Hat Content (for example, if you use Red Hat Content in support
of Software for which you do not have an active valid subscription), you
may be required under your Customer Agreement to purchase additional
subscriptions to Red Hat products. In addition, your right to continue
to access Red Hat Content from a Red Hat Portal is subject to your
continued compliance with these Terms of Use, your Customer Agreement
and the Additional Terms.

================================================== ===============

What this means is that we can NOT screen scrape, download, or otherwise
use content from the Red Hat website as a "Template" to then modify can
generate modified copies of that content ... BECAUSE ... content is NOT
software and the Red Hat content is NOT open source.

This is also why we do not duplicate the whole content from security
advisories. We can point you at it, we can not grab it and modify it
and then republish it. The centOS Project takes copyright and
intellectual properly rights very seriously.


Thanks,
Johnny Hughes

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 02:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org