2
I feel yum security plugin is not working as claimed here
For example, I know there is an outstanding CVE to openssl on my system
yum changelog 2017-01 openssl
Listing changelogs since 2017-01-06
==================== Available Packages ====================
1:openssl-1.0.1e-60.el7_3.1.x86_64 updates
* Mon Feb 6 07:00:00 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-60.1
- fix CVE-2017-3731 - DoS via truncated packets with RC4-MD5 cipher
- fix CVE-2016-8610 - DoS of single-threaded servers via excessive alerts
changelog stats. 2 pkgs, 2 source pkgs, 1 changelog
But when I use yum security plugin to install the particular CVE number, I get "no packages"
sudo yum update --cve CVE-2017-3731
No packages needed for security; 629 packages available
Resolving Dependencies
I know i'm running an older version
sudo rpm -q openssl
openssl-1.0.1e-51.el7_2.5.x86_64
"yum info-sec" should also list the list of changes with errata but openssl with this CVE is not listed.
When I run "yum updateinfo info --cve" with CVE referenced above, it claims my system is not vulnerable
yum updateinfo info --cve CVE-2017-3731
Loaded plugins: changelog, fastestmirror
updateinfo info done
It seems to the same case for kernel CVE and fixes, I can't seem to rely on the security plugin to pick any recent kernel CVEs such as dirty cow or double free
[localhost ~]$ sudo yum update --advisory=RHSA-2017:0403
Loaded plugins: changelog, fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.lax.hugeserver.com
* epel: mirrors.kernel.org
* extras: centos.sonn.com
* updates: cosmos.illinois.edu
No packages needed for security; 629 packages available
Resolving Dependencies
[localhost ~]$ sudo yum updateinfo --advisory=RHSA-2017:0403
Loaded plugins: changelog, fastestmirror
updateinfo summary done
[localhost ~]$ sudo yum updateinfo RHSA-2017:0403
Loaded plugins: changelog, fastestmirror
updateinfo info done