Changes between Version 12 and Version 13 of HowTo/ManageCustomImages
- Timestamp:
- 05/13/16 09:59:20 (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
HowTo/ManageCustomImages
v12 v13 34 34 As an example vulnerability announcement, here are the emails from both Ubuntu and CentOS Security lists regarding the libc vulnerability announced on in February 2016: 35 35 36 https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html 36 || CentOS || https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html || 37 ||Ubuntu || https://lists.ubuntu.com/archives/ubuntu-security-announce/2016-February/003305.html|| 37 38 38 https://lists.ubuntu.com/archives/ubuntu-security-announce/2016-February/003305.html 39 Of note, these emails are only sent '''after''' a fix has been posted. How does one know there is a problem in the first place? If it's a big enough deal, [https://slashdot.org/ slashdot], or other news sites, will cover it. In most cases, the OS vendors release patches the same day as the bug is publicly announced, as they are coordinating amongst themselves and with the upstream developers. As was the case with this libc bug in February. 39 40 40 Of note, these emails are only sent '''after''' a fix has been posted. How does one know there is a problem in the first place? If it's a big enough deal, [https://slashdot.org/ slashdot], or other news sites, will cover it.41 So how do we confirm that are images are affected if there is no patch immediately available? There will probably be an article on [https://slashdot.org/ slashdot] or other news outlets. From there they might link to a vendor's page. 41 42 42 I n most cases, the OS vendors release patches the same day as the bug is publicly announced, as they are coordinating amongst themselves and with the upstream developers. As was the case with this libc bug in February.43 If you interested in an ongoing Vulnerability that you can reference, see [https://access.redhat.com/security/vulnerabilities/drown here], where you can click on `diagnose` and download a script download, to see if you are affected, or maybe some mitigation steps. 43 44 44 So how do we confirm we might be effected, if there is no patch immediately available? There will probably be an article on [https://slashdot.org/ slashdot], or other news outlets. From there they might link to a vendor's page. 45 46 Here's an ongoing Vulnerability that you can reference: 47 48 https://access.redhat.com/security/vulnerabilities/drown 49 50 You can click on diagnose and there's a script you can download, to see if you are effected, or maybe some mitigation steps. 51 52 Once we identify the package, we'll check to see what we have installed and compare it to the effected versions. Remember there are various factors to consider depending on the bug. Maybe its package specific or perhaps it is OS version specific (CentOS 5 is effected but 6, or Ubuntu 12.04 is affected, but not 14.04). As an example, the libc vulnerability was addressed by different package names. The Ubuntu package is called `libc6`, and the CentOS is called `glibc` and to address the vulnerability the following instructions were given: 45 Once you identified a package that is affected, you need to check if you have that package installed and compare it to the affected versions. Remember there are various factors to consider depending on the bug. Maybe its package specific or perhaps it is OS version specific (CentOS 5 is effected but 6, or Ubuntu 12.04 is affected, but not 14.04). As an example, the libc vulnerability was addressed by different package names. The Ubuntu package is called `libc6`, and the CentOS is called `glibc` and to address the vulnerability the following instructions were given: 53 46 54 47 CentOS: {{{ # yum info glibc}}}