RPMs and CVEs

From Brandonhutchinson.com

Revision as of 15:34, 4 September 2009 by Hutch (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Vulnerability Assessment (VA) tools commonly flag services on our Red Hat systems as potentially vulnerable based on the services' versions alone. Since Red Hat backports security fixes into its packages, the packages may already be patched to address the vulnerabilities. Note that VA tools that support the Open Vulnerability and Assessment Language (OVAL) can determine the status of vulnerabilities even with backported fixes.

VA tools often refererence vulnerabilities by their Common Vulnerabilities and Exposures (CVE) number. One of the easiest ways to determine if a Red Hat package is patched for a particular CVE is to examine the package's changelog.

$ rpm -q package --changelog | egrep "(CAN|CVE)-"

Note that starting on 2005/10/19, the CAN- prefix is no longer used for candidate CVE entries. It should be included in the above search for any 2005 or earlier CVE's.

If the CVE's are not found in the package changelog, check the below Red Hat vulnerabilities by CVE name link for more information on how the CVE affects Red Hat products.


Personal tools