CentOS Security Tracker

Question

Most Linux distros provide a page where you can check whether the latest package has any security vulnerabilities and what version they are fixed in.

I understand that CentOS derives most of it's packages from RHEL, which has that kind of page here: https://access.redhat.com/security/cve/

Unfortunately though it looks like CentOS takes the RHEL version numbers and changes them, so it's not possible to check what base version of the RHEL package it came from and whether a particular CVE is fixed in the CentOS package.

As an example, can anyone tell me what version of OpenSSH in CentOS fixes CVE-2014-2653? Is there an easy way (similar to the Red Hat site) to find that info for any CVE and any CentOS package?

Answer 1

So it appears that the Red Hat errata and CentOS errata are the same numbers.

This is Red Hat's format:

 RHSA-YYYY-####

And this is CentOS' format:

 CESA-YYYY:####

Where #### is the same number for both. So, to solve your example question, here's what I did:

1. I went on the RedHat site and searched for the CVE number. This led me to the CVE page that linked to errata RHSA-2014-1552

2. CentOS releases its errata on a publicly archived mailing list. In that email, they have the "CentOS Errata and Security Advisory" number, and the package they uploaded to fix it. Now I use the magic of Google and search for "CESA-2014:1552". site:lists.centos.org is optional, since it should be the first result regardless of domain restriction. The search leads me to this email listing the updates to OpenSSH packages. Click the link for the list.

It's not as easy as searching a central online repository (which CentOS woefully does not have) but you can get from point A to B without too much finagling.