yum-plugin-security issue

[sluser]

Can someone clarify why the following is occurring in my SL6.2 install? Somehow these updates, from CVE-2011-4086, don't show up under the filtered --security call:

CODE

# yum --security check-update Loaded plugins: downloadonly, fastestmirror, priorities, refresh-packagekit, security Repository google-chrome is listed more than once in the configuration Loading mirror speeds from cached hostfile * epel: mirror.steadfast.net * rpmforge: mirror.us.leaseweb.net * sl: ftp.scientificlinux.org * sl-security: ftp.scientificlinux.org 1883 packages excluded due to repository priority protections Limiting package lists to security relevant ones No packages needed for security; 6 packages available

CODE

# yum check-update Loading mirror speeds from cached hostfile * epel: mirror.steadfast.net * rpmforge: mirror.us.leaseweb.net * sl: ftp.scientificlinux.org * sl-security: ftp.scientificlinux.org 1883 packages excluded due to repository priority protections kernel.x86_64                  2.6.32-220.17.1.el6   sl-security   kernel-devel.x86_64         2.6.32-220.17.1.el6   sl-security   kernel-firmware.noarch     2.6.32-220.17.1.el6   sl-security   kernel-headers.x86_64     2.6.32-220.17.1.el6   sl-security   perf.x86_64                  2.6.32-220.17.1.el6   sl-security

[AndrewSerk]

The reason it doesn't show up is, there is no CVE-2011-4086 ,at least that I can find.

CODE

# yum updateinfo info --cve CVE-2011-4086 Loaded plugins: fastestmirror, refresh-packagekit, security CVE "CVE-2011-4086" not found applicable for this system # yum --cve CVE-2011-4086 info update Loaded plugins: fastestmirror, refresh-packagekit, security Error: No matching Packages to list

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4086

http://web.nvd.nist.gov/view/vuln/search-results?query=CVE-2011-4086&search_type=all&cves=on

Here is a link to the US-CERT weekly summaries for 2011 that may help: http://www.us-cert.gov/cas/bulletins/2011.html

[toracat]

Actually... CVE-2011-4086 was addressed in the latest kernel update ( TUV's announcement). And the kernel packages showed up in the yum command as seen in the OP's post.

However, they did not appear when the --security option was used in the yum command. This is because security information is available in the TUV's repo but not in SL's repo. The same is true with CentOS, by the way. So, yum --security will not work in either distro (SL/CentOS)

However, SL offers 2 separate repos to distinguish security-related (sl-security) and non-security-related (sl-fastbugs) packages. sl-security is enabled by default, therefore kernel updates were listed in the yum check-update command.

[AndrewSerk]

Well I'll be whatchamacallit, I wonder why it wasn't in the search results from http://cve.mitre.org/ or http://web.nvd.nist.gov/view/vuln/search/ ?

Thanks torcat

[sluser]

QUOTE (toracat @ May 19 2012, 01:43 AM)

Actually... CVE-2011-4086 was addressed in the latest kernel update ( TUV's announcement). And the kernel packages showed up in the yum command as seen in the OP's post. However, they did not appear when the --security option was used in the yum command. This is because security information is available in the TUV's repo but not in SL's repo. The same is true with CentOS, by the way. So, yum --security will not work in either distro (SL/CentOS) However, SL offers 2 separate repos to distinguish security-related (sl-security) and non-security-related (sl-fastbugs) packages. sl-security is enabled by default, therefore kernel updates were listed in the yum check-update command.

I think this could lead to trouble then, because, if one were to turn on yum-autoupdate's USE_YUMSEC flag, one might think that they would be getting all important security updates automatically, when, in fact, they aren't. Isn't this correct?

If this is all as it seems to be, this package probably shouldn't be offered in SL at all, since it doesn't work.

I guess the alternative is to always do something like:
yum --disablerepo=\* --enablerepo="sl-security" check-update

and for yum-autoupdate to use a custom yum.conf?

[toracat]

QUOTE (sluser @ May 18 2012, 07:39 PM)

I think this could lead to trouble then, because, if one were to turn on yum-autoupdate's USE_YUMSEC flag, one might think that they would be getting all important security updates automatically, when, in fact, they aren't.  Isn't this correct?

I was not aware of the USE_YUMSEC option. Yes, enabling it will add the "--security" flag to the yum command, so no package would be found from the SL repos.

QUOTE

If this is all as it seems to be, this package probably shouldn't be offered in SL at all, since it doesn't work.

The default is "false". Unless one changes it to "true", yum-autoupdate works just fine. So, I think what can be done is to remove the USE_YUMSEC option from the config file.

What do you think?