Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

I have list of package names with version (e.g., glibc-2.12-1.209.el6_9.1) and I need to see CVE present for this or not #71

Open
ryran opened this issue Aug 13, 2017 · 1 comment
Assignees
Labels

Comments

@ryran
Copy link
Collaborator

ryran commented Aug 13, 2017

(Question sent to me via email.)

@ryran ryran added the question label Aug 13, 2017
@ryran ryran self-assigned this Aug 13, 2017
@ryran
Copy link
Collaborator Author

ryran commented Aug 13, 2017

First, if you're keeping your RHEL system up-to-date with the latest packages provided by Red Hat and it's just one package you're interested in, I would recommend checking this answer in the readme:

That example could be used verbatim for RHEL6 to see if there are any outstanding CVEs for the latest version of glibc.

On the other hand, if you have a list of package names of specific versions, you would be better off just using yum on the system in question.

yum yum yum

On the following test machine, I have an old version of glibc, and you can see that I'm registered, because a newer version is available.

[root@zz73 ~]# yum list glibc
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
              : manager
Installed Packages
glibc.x86_64                   2.17-157.el7                   @anaconda/7.3     
Available Packages
glibc.i686                     2.17-196.el7                   rhel-7-server-rpms
glibc.x86_64                   2.17-196.el7                   rhel-7-server-rpms

Of course, in a perfect world, I would just update, but ...

To check for available security-specific fixes

[root@zz73 ~]# yum updateinfo security package glibc 
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
              : manager
RHSA-2017:1481 Important/Sec. glibc-2.17-157.el7_3.4.x86_64
RHSA-2017:1916 Moderate/Sec.  glibc-2.17-196.el7.x86_64
updateinfo list done 

That shows me that YES there the latest version of glibc available does include some security fixes of severity moderate or less. Drop the trailing package glibc to see all available security updates. Can also do yum list updates --security or yum update --security.

To see CVEs specifically

[root@zz73 ~]# yum updateinfo cves package glibc 
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
              : manager
 CVE-2017-1000366 Important/Sec. glibc-2.17-157.el7_3.4.x86_64
 CVE-2014-9761    Moderate/Sec.  glibc-2.17-196.el7.x86_64
 CVE-2015-8776    Moderate/Sec.  glibc-2.17-196.el7.x86_64
 CVE-2015-8777    Moderate/Sec.  glibc-2.17-196.el7.x86_64
 CVE-2015-8778    Moderate/Sec.  glibc-2.17-196.el7.x86_64
 CVE-2015-8779    Moderate/Sec.  glibc-2.17-196.el7.x86_64
updateinfo list done

This tells me that upgrading to v157.el7_3.4 will fix one CVE, and upgrading to the latest v196 will fix 5 additional CVEs.

To see one specific CVE

[root@zz73 ~]# yum updateinfo info updates --cve CVE-2016-3075
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
updateinfo info done

That tells me that the CVE in question is already patched by my installed version. To be sure, I can do:

[root@zz73 ~]# yum updateinfo info installed --cve CVE-2016-3075
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
 
===============================================================================
  Low: glibc security, bug fix, and enhancement update
===============================================================================
  Update ID : RHSA-2016:2573
    Release : 0
       Type : security
     Status : final
     Issued : 2016-11-03 06:07:14 UTC
    Updated : 2016-11-03 06:07:23 UTC       Bugs : 971416 - Locale alias no_NO.ISO-8859-1 not working.
            : 1027348 - sem_post/sem_wait race causing sem_post to return EINVAL
            : 1064063 - Test suite failure: tst-mqueue5
            : 1099235 - CVE-2015-5277 glibc: nss_files doesn't detect ERANGE problems correctly [rhel-7.3]
            : 1140250 - Unexpected results from using posix_fallocate with nfs target
            : 1211100 - ld.so crash when audit modules provide path
            : 1211823 - iconv: missing support for HKSCS-2008 in BIG5-HKSCS in rhel7 glibc
            : 1249102 - "monstartup: out of memory" on PPC64LE
            : 1255822 - glibc: malloc may fall back to calling mmap prematurely if arenas are contended
            : 1276631 - glibc: hide backtrace from tst-malloc-backtrace
            : 1276753 - malloc: arena free list can become cyclic, increasing contention
            : 1293976 - CVE-2015-5229 glibc: calloc() returns non-zero'ed memory [rhel-7.3.0]
            : 1298354 - Backport test-skeleton.c conversions.
            : 1305406 - invalid fastbin entry (free), missing glibc patch
            : 1320596 - glibc: NULL pointer dereference in stub resolver with unconnectable name server addresses
            : 1321866 - CVE-2016-3075 glibc: Stack overflow in nss_dns_getnetbyname_r
            : 1335629 - aarch64: MINSIGSTKSZ is (much) too small
            : 1335925 - glibc: Fix aarch64 ABI issues
            : 1346397 - glibc: debug/tst-longjump_chk2 calls printf from a signal handler
       CVEs : CVE-2016-3075
Description : The glibc packages provide the standard C libraries (libc),
            : POSIX thread libraries (libpthread), standard math
            : libraries (libm), and the name service cache
            : daemon (nscd) used by multiple programs on the
            : system. Without these libraries, the Linux system
            : cannot function correctly.
            : 
            : Security Fix(es):
            : 
            : * A stack overflow vulnerability was found in
            :   _nss_dns_getnetbyname_r. On systems with
            :   nsswitch configured to include "networks: dns"
            :   with a privileged or network-facing service that
            :   would attempt to resolve user-provided network
            :   names, an attacker could provide an excessively
            :   long network name, resulting in stack corruption
            :   and code execution. (CVE-2016-3075)
            : 
            : This issue was discovered by Florian Weimer (Red
            : Hat).
            : 
            : Additional Changes:
            : 
            : For detailed information on changes in this
            : release, see the Red Hat Enterprise Linux 7.3
            : Release Notes linked from the References section.
   Severity : Low
updateinfo info done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant