Re: [CentOS] CentOS Security Advisories OVAL feed??
> Q3) Does this indicate that only the latest CentOS (minor) release can > be considered "secure" or "patched"? Yes. Security errata for previous Enterprise Linux minor releases are a Red Hat product called Extended Update Support (EUS) [0]. CentOS doesn't build EUS updates. CentOS point releases are a point in time reference and an implementation detail, not something you should try to lock your system to. When someone says they are using CentOS X.Y, that just means that they haven't updated their system since X.Y+1 was released. Effectively, you don't have CentOS 8.1, you have outdated CentOS 8. [0] https://access.redhat.com/articles/rhel-eus On Tue, Aug 4, 2020 at 11:34 AM wrote: > > Dear List, > > I have spent some time playing around with oscap and the RHEL OVAL feed > (https://www.redhat.com/security/data/oval/v2/RHEL8/, also check Chapter > 16 of the RHEL 8 Design Guide). Because I could not find an existing > OVAL file for CentOS, I downloaded one of the RHEL8 files and managed to > modify (eg. the rhel-8.1-e4s.oval.xml) it to make it work on a CentOS > machine. Basically I just had to change the package signing key check to > use the CentOS key and I had to replace the redhat-release RPM package > name with "centos-release". Obviously, this would violate all kinds of > rights if redistributed, due to the fact that the upstream vendor is > named all over the place, but technically it "worked". > > On an internal system running a freshly updated CentOS 8.1 system I > ended up with three errors, titled: > > * RHSA-2019:4269: container-tools:rhel8 security and bug fix update > (Important) > > * RHSA-2019:3403: container-tools:rhel8 security, bug fix, and > enhancement update (Important) > > * RHSA-2019:2799: nginx:1.14 security update (Important) > > This raises some questions (some of them connected), namely: > > Q1) There are no equivalent CESA advisories for those RHSA advisories: > why is that? Note that there are also no equivalent CentOS packages to > those mentioned in the RHSA advisories. (My guess: because, when the > advisories where issued, Centos already had moved on to 8.2) > > Q2) Does this indicate a problem in the release process / handling of > upstream updates on the side of the CentOS project? Were the advisories > missed at the time of issuance? > > Q3) Does this indicate that only the latest CentOS (minor) release can > be considered "secure" or "patched"? > > Q4) Is there a native OVAL file released from the CentOS project > covering these issues? It could be extremely similar to the RHEL one, > but it should take the answers to the above questions into account (eg. > it could require the latests minor-release and there would only be one > file for CentOS 8 if the answer to Q3 is "yes"). > > Q5) If the answer to the last question is "no": shouldn't there be such > a resource? > > Thanks for any answers. > > peter > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Carl George ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Security Advisories OVAL feed??
Am 05.08.20 um 17:55 schrieb Johnny Hughes: On 8/5/20 10:45 AM, cen...@niob.at wrote: On 05/08/2020 16:49, Johnny Hughes wrote: On 8/5/20 1:05 AM, cen...@niob.at wrote: On 04/08/2020 23:50, Jon Pruente wrote: On Tue, Aug 4, 2020 at 11:34 AM wrote: Q5) If the answer to the last question is "no": shouldn't there be such a resource? CentOS doesn't publish security errata. If you need it then you should either buy RHEL, or deal with putting together your own set up with something like http://cefs.steve-meier.de/ I expected just this answer, and we do have a RHEL subscription (and BTW: thanks for the link). But you missed the main point by omitting the other questions (especially Q1, Q2 and Q3): There are upstream package versions that were never rebuilt for CentOS. For instance: If, for whatever reason, I am required to stay with nginx 1.14.1 then the missing rebuild of the packages mentioned in RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would leave me with a vulnerable system. The question for an OVAL feed is actually an add-on question: In the same spirit that is the base for the CentOS project itself: wouldn't such a feed be a good thing to have? Otherwise your answer could be the catch-all answer to all questions CentOS: Go get a commercial subscription. Personally, I think such an answer is not very helpful. So what do you think about the underlying issue? Under what argumentation does it NOT constitute to be an issue? Modules suck .. :) But that is built and in the repo .. dnf list 'nginx*' nginx.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-all-modules.noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-filesystem.noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-image-filter.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-perl.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-xslt-filter.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-mail.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-stream.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream As I have said before .. mbbox (the item used to build modules) adds an index code (the 184) and a part of the git commit (e34fea82) .. so this will always be different between RHEL and CentOS .. because we use different builders and a different git repo. Red Hat's RHEL index code is 4108 and the git commit is af250afe Thanks a lot for pointing that out! That explains part of the problem. The corresponding source RPMs are indeed identical (I checked :-) ), so the packages were (indeed) rebuilt. That was not at all obvious to me. OTOH: I probably would have guessed if there had been a corresponding e-mail to Centos-Announce. At this point, I would like to add that I am extremely impressed by the CentOS project and that I do not want to blame anybody for forgetting such an e-mail (or maybe it was just lost somewhere in SMTP-land) - I just want to state that fact. Thanks for putting in all that hard work! With that new knowledge, I also checked my other issues wrt to the container-tools package: Same module issue. So there is a pattern. But there is also the pattern that I cannot find the corresponding CentOS-Announce e-mail. Strange, isn't it? This still leaves me wondering if there should be an attempt at providing a CentOS OVAL file similar to the one by RH that is not generated by taking the upstream file and running some uninspired sed-script on it, like (for reference): sed -e 's,/etc/redhat-release,/etc/centos-release,g' -e 's/199e2f91fd431d51/05b555b38483c65d/g' However, the question could be asked if such an OVAL file would be of any use, in the light of possibly missing CESA announce e-Mails, because that advisory information must some be translated into the OCAL XML. Having said all this: maybe there is some deeper problem here, because of that pattern of missing announce e-mails that correspond with packages that differ in the final version number with respect to the upstream package. Or is this just a coincidence? We understand that there are no announcements for CentOS 8 .. this (the modules differences) is precisely the reason why (the names do not match up and our scripts require that). We do not have the capability to announce these at the present time. This is something that needs an engineering solution. Submissions welcome. I the mean time : https://feeds.centos.org/ -- Leon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Security Advisories OVAL feed??
On 05/08/2020 17:55, Johnny Hughes wrote: Having said all this: maybe there is some deeper problem here, because of that pattern of missing announce e-mails that correspond with packages that differ in the final version number with respect to the upstream package. Or is this just a coincidence? We understand that there are no announcements for CentOS 8 .. this (the modules differences) is precisely the reason why (the names do not match up and our scripts require that). We do not have the capability to announce these at the present time. This is something that needs an engineering solution. Submissions welcome. Thanks for the clarification. This explains exactly what I have seen. Are those scripts available somewhere? A quick search didn't turn up anything obvious... peter ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Security Advisories OVAL feed??
On 8/5/20 10:45 AM, cen...@niob.at wrote: > On 05/08/2020 16:49, Johnny Hughes wrote: >> On 8/5/20 1:05 AM, cen...@niob.at wrote: >>> On 04/08/2020 23:50, Jon Pruente wrote: On Tue, Aug 4, 2020 at 11:34 AM wrote: > Q5) If the answer to the last question is "no": shouldn't there be > such > a resource? > CentOS doesn't publish security errata. If you need it then you should either buy RHEL, or deal with putting together your own set up with something like http://cefs.steve-meier.de/ >>> I expected just this answer, and we do have a RHEL subscription (and >>> BTW: thanks for the link). But you missed the main point by omitting the >>> other questions (especially Q1, Q2 and Q3): There are upstream package >>> versions that were never rebuilt for CentOS. >>> >>> For instance: If, for whatever reason, I am required to stay with nginx >>> 1.14.1 then the missing rebuild of the packages mentioned in >>> RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would >>> leave me with a vulnerable system. >>> >>> The question for an OVAL feed is actually an add-on question: In the >>> same spirit that is the base for the CentOS project itself: wouldn't >>> such a feed be a good thing to have? Otherwise your answer could be the >>> catch-all answer to all questions CentOS: Go get a commercial >>> subscription. Personally, I think such an answer is not very helpful. >>> >>> So what do you think about the underlying issue? Under what >>> argumentation does it NOT constitute to be an issue? >>> >> Modules suck .. :) >> >> But that is built and in the repo .. >> >> dnf list 'nginx*' >> >> nginx.x86_64 >> 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream >> nginx-all-modules.noarch >> 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream >> nginx-filesystem.noarch >> 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream >> nginx-mod-http-image-filter.x86_64 >> 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream >> nginx-mod-http-perl.x86_64 >> 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream >> nginx-mod-http-xslt-filter.x86_64 >> 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream >> nginx-mod-mail.x86_64 >> 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream >> nginx-mod-stream.x86_64 >> 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream >> >> As I have said before .. mbbox (the item used to build modules) adds an >> index code (the 184) and a part of the git commit (e34fea82) .. so this >> will always be different between RHEL and CentOS .. because we use >> different builders and a different git repo. Red Hat's RHEL index code >> is 4108 and the git commit is af250afe >> > Thanks a lot for pointing that out! That explains part of the problem. > The corresponding source RPMs are indeed identical (I checked :-) ), so > the packages were (indeed) rebuilt. That was not at all obvious to me. > > OTOH: I probably would have guessed if there had been a corresponding > e-mail to Centos-Announce. At this point, I would like to add that I am > extremely impressed by the CentOS project and that I do not want to > blame anybody for forgetting such an e-mail (or maybe it was just lost > somewhere in SMTP-land) - I just want to state that fact. Thanks for > putting in all that hard work! > > With that new knowledge, I also checked my other issues wrt to the > container-tools package: Same module issue. So there is a pattern. But > there is also the pattern that I cannot find the corresponding > CentOS-Announce e-mail. Strange, isn't it? > > This still leaves me wondering if there should be an attempt at > providing a CentOS OVAL file similar to the one by RH that is not > generated by taking the upstream file and running some uninspired > sed-script on it, like (for reference): > > sed -e 's,/etc/redhat-release,/etc/centos-release,g' -e > 's/199e2f91fd431d51/05b555b38483c65d/g' > > However, the question could be asked if such an OVAL file would be of > any use, in the light of possibly missing CESA announce e-Mails, because > that advisory information must some be translated into the OCAL XML. > > Having said all this: maybe there is some deeper problem here, because > of that pattern of missing announce e-mails that correspond with > packages that differ in the final version number with respect to the > upstream package. Or is this just a coincidence? > We understand that there are no announcements for CentOS 8 .. this (the modules differences) is precisely the reason why (the names do not match up and our scripts require that). We do not have the capability to announce these at the present time. This is something that needs an engineering solution. Submissions welcome. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org
Re: [CentOS] CentOS Security Advisories OVAL feed??
On 05/08/2020 16:49, Johnny Hughes wrote: On 8/5/20 1:05 AM, cen...@niob.at wrote: On 04/08/2020 23:50, Jon Pruente wrote: On Tue, Aug 4, 2020 at 11:34 AM wrote: Q5) If the answer to the last question is "no": shouldn't there be such a resource? CentOS doesn't publish security errata. If you need it then you should either buy RHEL, or deal with putting together your own set up with something like http://cefs.steve-meier.de/ I expected just this answer, and we do have a RHEL subscription (and BTW: thanks for the link). But you missed the main point by omitting the other questions (especially Q1, Q2 and Q3): There are upstream package versions that were never rebuilt for CentOS. For instance: If, for whatever reason, I am required to stay with nginx 1.14.1 then the missing rebuild of the packages mentioned in RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would leave me with a vulnerable system. The question for an OVAL feed is actually an add-on question: In the same spirit that is the base for the CentOS project itself: wouldn't such a feed be a good thing to have? Otherwise your answer could be the catch-all answer to all questions CentOS: Go get a commercial subscription. Personally, I think such an answer is not very helpful. So what do you think about the underlying issue? Under what argumentation does it NOT constitute to be an issue? Modules suck .. :) But that is built and in the repo .. dnf list 'nginx*' nginx.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-all-modules.noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-filesystem.noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-image-filter.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-perl.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-xslt-filter.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-mail.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-stream.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream As I have said before .. mbbox (the item used to build modules) adds an index code (the 184) and a part of the git commit (e34fea82) .. so this will always be different between RHEL and CentOS .. because we use different builders and a different git repo. Red Hat's RHEL index code is 4108 and the git commit is af250afe Thanks a lot for pointing that out! That explains part of the problem. The corresponding source RPMs are indeed identical (I checked :-) ), so the packages were (indeed) rebuilt. That was not at all obvious to me. OTOH: I probably would have guessed if there had been a corresponding e-mail to Centos-Announce. At this point, I would like to add that I am extremely impressed by the CentOS project and that I do not want to blame anybody for forgetting such an e-mail (or maybe it was just lost somewhere in SMTP-land) - I just want to state that fact. Thanks for putting in all that hard work! With that new knowledge, I also checked my other issues wrt to the container-tools package: Same module issue. So there is a pattern. But there is also the pattern that I cannot find the corresponding CentOS-Announce e-mail. Strange, isn't it? This still leaves me wondering if there should be an attempt at providing a CentOS OVAL file similar to the one by RH that is not generated by taking the upstream file and running some uninspired sed-script on it, like (for reference): sed -e 's,/etc/redhat-release,/etc/centos-release,g' -e 's/199e2f91fd431d51/05b555b38483c65d/g' However, the question could be asked if such an OVAL file would be of any use, in the light of possibly missing CESA announce e-Mails, because that advisory information must some be translated into the OCAL XML. Having said all this: maybe there is some deeper problem here, because of that pattern of missing announce e-mails that correspond with packages that differ in the final version number with respect to the upstream package. Or is this just a coincidence? peter ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Security Advisories OVAL feed??
On 8/5/20 1:05 AM, cen...@niob.at wrote: > On 04/08/2020 23:50, Jon Pruente wrote: >> On Tue, Aug 4, 2020 at 11:34 AM wrote: >> >>> Q5) If the answer to the last question is "no": shouldn't there be such >>> a resource? >>> >> CentOS doesn't publish security errata. If you need it then you should >> either buy RHEL, or deal with putting together your own set up with >> something like http://cefs.steve-meier.de/ > > I expected just this answer, and we do have a RHEL subscription (and > BTW: thanks for the link). But you missed the main point by omitting the > other questions (especially Q1, Q2 and Q3): There are upstream package > versions that were never rebuilt for CentOS. > > For instance: If, for whatever reason, I am required to stay with nginx > 1.14.1 then the missing rebuild of the packages mentioned in > RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would > leave me with a vulnerable system. > > The question for an OVAL feed is actually an add-on question: In the > same spirit that is the base for the CentOS project itself: wouldn't > such a feed be a good thing to have? Otherwise your answer could be the > catch-all answer to all questions CentOS: Go get a commercial > subscription. Personally, I think such an answer is not very helpful. > > So what do you think about the underlying issue? Under what > argumentation does it NOT constitute to be an issue? > Modules suck .. :) But that is built and in the repo .. dnf list 'nginx*' nginx.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-all-modules.noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-filesystem.noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-image-filter.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-perl.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-http-xslt-filter.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-mail.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream nginx-mod-stream.x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream As I have said before .. mbbox (the item used to build modules) adds an index code (the 184) and a part of the git commit (e34fea82) .. so this will always be different between RHEL and CentOS .. because we use different builders and a different git repo. Red Hat's RHEL index code is 4108 and the git commit is af250afe signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Security Advisories OVAL feed??
On 04/08/2020 23:50, Jon Pruente wrote: On Tue, Aug 4, 2020 at 11:34 AM wrote: Q5) If the answer to the last question is "no": shouldn't there be such a resource? CentOS doesn't publish security errata. If you need it then you should either buy RHEL, or deal with putting together your own set up with something like http://cefs.steve-meier.de/ I expected just this answer, and we do have a RHEL subscription (and BTW: thanks for the link). But you missed the main point by omitting the other questions (especially Q1, Q2 and Q3): There are upstream package versions that were never rebuilt for CentOS. For instance: If, for whatever reason, I am required to stay with nginx 1.14.1 then the missing rebuild of the packages mentioned in RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would leave me with a vulnerable system. The question for an OVAL feed is actually an add-on question: In the same spirit that is the base for the CentOS project itself: wouldn't such a feed be a good thing to have? Otherwise your answer could be the catch-all answer to all questions CentOS: Go get a commercial subscription. Personally, I think such an answer is not very helpful. So what do you think about the underlying issue? Under what argumentation does it NOT constitute to be an issue? peter ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Security Advisories OVAL feed??
On Tue, Aug 4, 2020 at 11:34 AM wrote: > Q5) If the answer to the last question is "no": shouldn't there be such > a resource? > CentOS doesn't publish security errata. If you need it then you should either buy RHEL, or deal with putting together your own set up with something like http://cefs.steve-meier.de/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS Security Advisories OVAL feed??
Dear List, I have spent some time playing around with oscap and the RHEL OVAL feed (https://www.redhat.com/security/data/oval/v2/RHEL8/, also check Chapter 16 of the RHEL 8 Design Guide). Because I could not find an existing OVAL file for CentOS, I downloaded one of the RHEL8 files and managed to modify (eg. the rhel-8.1-e4s.oval.xml) it to make it work on a CentOS machine. Basically I just had to change the package signing key check to use the CentOS key and I had to replace the redhat-release RPM package name with "centos-release". Obviously, this would violate all kinds of rights if redistributed, due to the fact that the upstream vendor is named all over the place, but technically it "worked". On an internal system running a freshly updated CentOS 8.1 system I ended up with three errors, titled: * RHSA-2019:4269: container-tools:rhel8 security and bug fix update (Important) * RHSA-2019:3403: container-tools:rhel8 security, bug fix, and enhancement update (Important) * RHSA-2019:2799: nginx:1.14 security update (Important) This raises some questions (some of them connected), namely: Q1) There are no equivalent CESA advisories for those RHSA advisories: why is that? Note that there are also no equivalent CentOS packages to those mentioned in the RHSA advisories. (My guess: because, when the advisories where issued, Centos already had moved on to 8.2) Q2) Does this indicate a problem in the release process / handling of upstream updates on the side of the CentOS project? Were the advisories missed at the time of issuance? Q3) Does this indicate that only the latest CentOS (minor) release can be considered "secure" or "patched"? Q4) Is there a native OVAL file released from the CentOS project covering these issues? It could be extremely similar to the RHEL one, but it should take the answers to the above questions into account (eg. it could require the latests minor-release and there would only be one file for CentOS 8 if the answer to Q3 is "yes"). Q5) If the answer to the last question is "no": shouldn't there be such a resource? Thanks for any answers. peter ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
Joshua Bahnsen wrote: That's really my question. Is there any particular reason why not all Red Hat advisories (RHEA, RHBA and RHSA) have a CentOS counterpart? Is this due to time constraints, demand, or some other legal reason? Ah. Historical Reasons, probably. All RHSAs should be there, RHBAs just haven't been announced for 4 - there's no other appalling reason I could think of at the moment :) I'm not sure about RHEAs, though. Ralph pgpqYjrgrLCLr.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
On 06/17/2009 09:56 AM, Ralph Angenendt wrote: Historical Reasons, probably. All RHSAs should be there, RHBAs just haven't been announced for 4 - there's no other appalling reason I could think of at the moment :) with the new process's going in - that should change. I'm not sure about RHEAs, though. We have done most for C5, not all for C4. The tricky situation is also for the updates when a new iso set is released, eg 5.2 - 5.3, upstream tend to publish a report for each package that is out there, we havent done that 'traditionally'. Given time and resources, I am sure we can revisit that, if anyone is really interested. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
The tricky situation is also for the updates when a new iso set is released, eg 5.2 - 5.3, upstream tend to publish a report for each package that is out there, we havent done that 'traditionally'. Given time and resources, I am sure we can revisit that, if anyone is really interested. - KB I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
Is there an alternate location (other than the mailing list archive) where a list of the advisories can be found? Joshua Bahnsen -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Karanbir Singh Sent: Wednesday, June 17, 2009 2:52 AM To: centos@centos.org Subject: Re: [CentOS] CentOS security advisories On 06/17/2009 09:56 AM, Ralph Angenendt wrote: Historical Reasons, probably. All RHSAs should be there, RHBAs just haven't been announced for 4 - there's no other appalling reason I could think of at the moment :) with the new process's going in - that should change. I'm not sure about RHEAs, though. We have done most for C5, not all for C4. The tricky situation is also for the updates when a new iso set is released, eg 5.2 - 5.3, upstream tend to publish a report for each package that is out there, we havent done that 'traditionally'. Given time and resources, I am sure we can revisit that, if anyone is really interested. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
Joshua Bahnsen wrote: I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin? yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's - and I have zero interest in trawling through bugzilla and typing all these things out. If you want to propose a process to make this happen, I am all ears ( and eyes ). -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
What exactly do you mean by breaching the rhn aup's? Joshua Bahnsen -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Karanbir Singh Sent: Wednesday, June 17, 2009 3:59 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories Joshua Bahnsen wrote: I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin? yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's - and I have zero interest in trawling through bugzilla and typing all these things out. If you want to propose a process to make this happen, I am all ears ( and eyes ). -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
What I mean is, is there a specific Red Hat web page that defines what is acceptable and what is not? Joshua Bahnsen -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Joshua Bahnsen Sent: Wednesday, June 17, 2009 4:14 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories What exactly do you mean by breaching the rhn aup's? Joshua Bahnsen -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Karanbir Singh Sent: Wednesday, June 17, 2009 3:59 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories Joshua Bahnsen wrote: I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin? yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's - and I have zero interest in trawling through bugzilla and typing all these things out. If you want to propose a process to make this happen, I am all ears ( and eyes ). -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
I assume you mean this? http://www.redhat.com/legal/legal_statement.html Sorry the for spam... Joshua Bahnsen -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Joshua Bahnsen Sent: Wednesday, June 17, 2009 4:15 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories What I mean is, is there a specific Red Hat web page that defines what is acceptable and what is not? Joshua Bahnsen -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Joshua Bahnsen Sent: Wednesday, June 17, 2009 4:14 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories What exactly do you mean by breaching the rhn aup's? Joshua Bahnsen -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Karanbir Singh Sent: Wednesday, June 17, 2009 3:59 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS security advisories Joshua Bahnsen wrote: I believe that's where I am seeing the biggest discrepancy. Has there been any discussion to put the advisory data in an updateinfo.xml form for use with the yum-security plugin? yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's - and I have zero interest in trawling through bugzilla and typing all these things out. If you want to propose a process to make this happen, I am all ears ( and eyes ). -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS security advisories
On Wed, 17 Jun 2009, Joshua Bahnsen wrote: I assume you mean this? http://www.redhat.com/legal/legal_statement.html That is an assumption you make, all right --- that page does not state it is exhaustive, however ... What I mean is, is there a specific Red Hat web page that defines what is acceptable and what is not? Feel free to ask them, just not on this list What exactly do you mean by breaching the rhn aup's? Red Hat's outside counsel has made a statement asserting (in part) CentOS project misbehavior by so-called 'deep linking' as follows: Moreover, our client does not allow others [in a letter directed to asserted improper CentOS project behavior] to provide links to our client's web site without permission. earlier: K B Singh wrote: yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's I realize you [Joshua Bahnsen] feel a need to top post for some reason, but it simply means that context threading is broken. Red Hat's counsel threatened litigation against the project if it did not address various alleged issues: ... we trust that this issue can be resolved promptly and amicably and appreciate your attention to this matter. We look forward to your reply and request a response no later than February 4, 2005 Why would the project go again near a sharp edge that Red Hat has chosen to take offense at? Who shall insure and indemnify the project and its members against the costs of defense, let alone any damages award? Please note that I do not need a reply on that question, as it is clearly a rhetorical question. -- Russ herrold ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of R P Herrold Sent: Wednesday, June 17, 2009 5:37 PM To: CentOS mailing list Subject: [CentOS] CentOS security advisories On Wed, 17 Jun 2009, Joshua Bahnsen wrote: I assume you mean this? http://www.redhat.com/legal/legal_statement.html That is an assumption you make, all right --- that page does not state it is exhaustive, however ... What I mean is, is there a specific Red Hat web page that defines what is acceptable and what is not? Feel free to ask them, just not on this list What exactly do you mean by breaching the rhn aup's? Red Hat's outside counsel has made a statement asserting (in part) CentOS project misbehavior by so-called 'deep linking' as follows: Moreover, our client does not allow others [in a letter directed to asserted improper CentOS project behavior] to provide links to our client's web site without permission. earlier: K B Singh wrote: yes, its come up a few times, there has been some work done on it as well, however there is no automated way to get this info without breaching the rhn aup's I realize you [Joshua Bahnsen] feel a need to top post for some reason, but it simply means that context threading is broken. Red Hat's counsel threatened litigation against the project if it did not address various alleged issues: ... we trust that this issue can be resolved promptly and amicably and appreciate your attention to this matter. We look forward to your reply and request a response no later than February 4, 2005 Why would the project go again near a sharp edge that Red Hat has chosen to take offense at? Who shall insure and indemnify the project and its members against the costs of defense, let alone any damages award? Please note that I do not need a reply on that question, as it is clearly a rhetorical question. -- Russ herrold ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos [Joshua Bahnsen] I don't want to cause any trouble here, but what does this have to do with generating advisory information that is provided by the vendor? Are there legal questions around clicking around the publicly available advisory data and generating XML based on that information? Obviously CentOS is generating *SOME* of the data provided by the vendor but not all. I'm merely trying to figure out: 1. Why there is a discrepancy (legal?, time?, need?, etc.) 2. If there is an alternate location to find this advisory information for CentOS 3. If anyone has tried to combine this data into a format consumable by yum-security 4. If using the advisory data provided on the vendor website and changing the title is a valid approach to generate advisory data in which the rpms are named the same I believe this feature (patching based on advisories) would be advantageous to end users. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS security advisories
On Wed, 17 Jun 2009, Joshua Bahnsen wrote: I don't want to cause any trouble here, but what does this have to do with generating advisory information that is provided by the vendor? ... if you won't acknowledge the landmines, you get blown up, eventually, I hear I believe this feature [insert desired pony here] would be advantageous to end users. Please feel free to code an implementation of any proposed process to yield what you deem a desireable feature enhancement for the CentOS project, and run in in demonstration for review. Assuming it is FOSS licensed, we'll look. The documents group already does this as to wiki content creation. TANSTAAFL for any material coding effort. -- Russ herrold ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
Joshua Bahnsen wrote: I have been looking at the security advisories provided here: http://lists.centos.org/pipermail/centos-announce/ It appears that there is not a 1:1 correlation between advisories listed here and advisories listed by Red Hat: https://rhn.redhat.com/errata Is there a specific reason for this? Can you expand on that? CentOS does not announce RHBAs (Bugfix updates) for at least CentOS 4. Ralph pgpAwgjtMRVai.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS security advisories
That's really my question. Is there any particular reason why not all Red Hat advisories (RHEA, RHBA and RHSA) have a CentOS counterpart? Is this due to time constraints, demand, or some other legal reason? Joshua Bahnsen, Software Developer O : 480.663.8787 | joshua.bahn...@lumension.com Lumension | 15880 N. Greenway-Hayden Loop Suite 100 | Scottsdale, AZ 85260 -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Ralph Angenendt Sent: Tuesday, June 16, 2009 2:28 AM To: centos@centos.org Subject: Re: [CentOS] CentOS security advisories Joshua Bahnsen wrote: I have been looking at the security advisories provided here: http://lists.centos.org/pipermail/centos-announce/ It appears that there is not a 1:1 correlation between advisories listed here and advisories listed by Red Hat: https://rhn.redhat.com/errata Is there a specific reason for this? Can you expand on that? CentOS does not announce RHBAs (Bugfix updates) for at least CentOS 4. Ralph ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS security advisories
I have been looking at the security advisories provided here: http://lists.centos.org/pipermail/centos-announce/ It appears that there is not a 1:1 correlation between advisories listed here and advisories listed by Red Hat: https://rhn.redhat.com/errata Is there a specific reason for this? Also, is there an alternate location to find all Errata information for CentOS? Joshua Bahnsen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
