Bug 1186717 - update for CVE-2015-0235 missed by yum --security
Summary: update for CVE-2015-0235 missed by yum --security
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: yum
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Valentina Mukhamedzhanova
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-28 11:49 UTC by Dave Love
Modified: 2015-02-13 11:02 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-13 11:02:42 UTC


Attachments (Terms of Use)

Description Dave Love 2015-01-28 11:49:53 UTC
Description of problem:

Security updates relying on yum --security (e.g. via yum-cron) don't pick up the GHOST fix.

I don't know how yum-security works, so I don't know whether the bug is actually in the repo, glibc package, or elsewhere.

Version-Release number of selected component (if applicable):

2.12-1.149.el6_6.5

How reproducible:


Steps to Reproduce:

# yum --security check-update glibc\*

Actual results:

# yum --security check-update glibc\*
Loaded plugins: auto-update-debuginfo, changelog, downloadonly, etckeeper,
              : fastestmirror, filter-data, merge-conf, post-transaction-
              : actions, priorities, product-id, protectbase, refresh-
              : packagekit, security, subscription-manager, verify, versionlock
Loading mirror speeds from cached hostfile
 * epel: mirror.bytemark.co.uk
 * epel-debuginfo: mirror.bytemark.co.uk
Skipping filters plugin, no data
0 packages excluded due to repository protections
Limiting package lists to security relevant ones
No packages needed for security; 45 packages available

Expected results:

# yum check-update glibc\*
Loaded plugins: auto-update-debuginfo, changelog, downloadonly, etckeeper,
              : fastestmirror, filter-data, merge-conf, post-transaction-
              : actions, priorities, product-id, protectbase, refresh-
              : packagekit, security, subscription-manager, verify, versionlock
Loading mirror speeds from cached hostfile
 * epel: mirror.bytemark.co.uk
 * epel-debuginfo: mirror.bytemark.co.uk
Skipping filters plugin, no data
0 packages excluded due to repository protections

glibc.i686                      2.12-1.149.el6_6.5            rhel-6-server-rpms
glibc.x86_64                    2.12-1.149.el6_6.5            rhel-6-server-rpms
glibc-common.x86_64             2.12-1.149.el6_6.5            rhel-6-server-rpms
glibc-devel.i686                2.12-1.149.el6_6.5            rhel-6-server-rpms
glibc-devel.x86_64              2.12-1.149.el6_6.5            rhel-6-server-rpms
glibc-headers.x86_64            2.12-1.149.el6_6.5            rhel-6-server-rpms

Additional info:

Comment 2 Siddhesh Poyarekar 2015-01-28 14:28:15 UTC
Not a glibc issue.  Moving to yum.

Comment 3 Valentina Mukhamedzhanova 2015-02-04 12:29:29 UTC
I can't reproduce this issue, 'yum --security check-update glibc\*' gives me the expected output.

Are you still facing this problem? It could be helpful to try to disable all plugins except product-id, security and subscription-manager, clear the cache and try again.

Comment 4 Dave Love 2015-02-09 17:33:39 UTC
I can no longer reproduce this, but I have no idea what might have changed.
Could you tell me what metadata yum-plugin-security uses so I can try to figure it
out without having to read the source?  (It gives me false positives with
check-update too, which are still present.)

Comment 5 Valentina Mukhamedzhanova 2015-02-13 11:02:42 UTC
yum-plugin-security uses the updateinfo metadata (something like /var/cache/yum/x86_64/6Server/rhel-6-server-rpms/6189da8c10e23e0a4b0ce14e30131e484ff83070d3a7db43152bf27da436a87e-updateinfo.xml.gz)

Since the issue cannot be reproduced, I am closing this. Please feel free to reopen if you have a reliable reproducer.


Note You need to log in before you can comment on or make changes to this bug.