Changes between Version 12 and Version 13 of HowTo/ManageCustomImages


Ignore:
Timestamp:
05/13/16 09:59:20 (8 years ago)
Author:
lnevers@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • HowTo/ManageCustomImages

    v12 v13  
    3434As an example vulnerability announcement, here are the emails from both Ubuntu and CentOS Security lists regarding the libc vulnerability announced on in February 2016:
    3535
    36  https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
     36|| CentOS || https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html ||
     37||Ubuntu  || https://lists.ubuntu.com/archives/ubuntu-security-announce/2016-February/003305.html||
    3738
    38  https://lists.ubuntu.com/archives/ubuntu-security-announce/2016-February/003305.html
     39Of note, these emails are only sent '''after''' a fix has been posted. How does one know there is a problem in the first place? If it's a big enough deal, [https://slashdot.org/ slashdot], or other news sites, will cover it. In most cases, the OS vendors release patches the same day as the bug is publicly announced, as they are coordinating amongst themselves and with the upstream developers.  As was the case with this libc bug in February.
    3940
    40 Of note, these emails are only sent '''after''' a fix has been posted. How does one know there is a problem in the first place? If it's a big enough deal, [https://slashdot.org/ slashdot], or other news sites, will cover it.
     41So how do we confirm that are images are affected if there is no patch immediately available?  There will probably be an article on [https://slashdot.org/ slashdot] or other news outlets.  From there they might link to a vendor's page.
    4142
    42 In most cases, the OS vendors release patches the same day as the bug is publicly announced, as they are coordinating amongst themselves and with the upstream developers.  As was the case with this libc bug in February.
     43If you interested in an ongoing Vulnerability that you can reference, see  [https://access.redhat.com/security/vulnerabilities/drown here], where you can click on `diagnose` and download a script download, to see if you are affected, or maybe some mitigation steps.
    4344
    44 So how do we confirm we might be effected, if there is no patch immediately available?  There will probably be an article on [https://slashdot.org/ slashdot], or other news outlets.  From there they might link to a vendor's page.
    45 
    46 Here's an ongoing Vulnerability that you can reference:
    47 
    48 https://access.redhat.com/security/vulnerabilities/drown 
    49 
    50 You can click on diagnose and there's a script you can download, to see if you are effected, or maybe some mitigation steps.
    51 
    52 Once we identify the package, we'll check to see what we have installed and compare it to the effected versions.  Remember there are various factors to consider depending on the bug. Maybe its package specific or perhaps it is OS version specific (CentOS 5 is effected but 6, or Ubuntu 12.04 is affected, but not 14.04). As an example, the libc vulnerability was addressed by different package names. The Ubuntu package is called `libc6`, and the CentOS is called `glibc` and to address the vulnerability the following instructions were given:
     45Once you identified a package that is affected, you need to check if you have that package installed and compare it to the affected versions.  Remember there are various factors to consider depending on the bug. Maybe its package specific or perhaps it is OS version specific (CentOS 5 is effected but 6, or Ubuntu 12.04 is affected, but not 14.04). As an example, the libc vulnerability was addressed by different package names. The Ubuntu package is called `libc6`, and the CentOS is called `glibc` and to address the vulnerability the following instructions were given:
    5346
    5447CentOS: {{{ # yum info glibc}}}