Joshua Enfield

Asked: 2010-06-19 10:52:37 +0800 CST2010-06-19 10:52:37 +0800 CST 2010-06-19 10:52:37 +0800 CST

How do I check to see if Redhat (CentOS) has backported a security fix for Samba?

How can I check to see if the Redhat (CentOS) repositories have backported a fix?

Ignacio Vazquez-Abrams
2010-06-19T11:55:46+08:002010-06-19T11:55:46+08:00
rpm -q --changelog <package name> will show the package changelog, where vulnerabilities that have been patched in a package are enumerated. Additionally, the CentOS package announcement mailing list also gives the added portions of the changelog when the package is released.
6
Best Answer

flashnode
2010-06-19T11:46:37+08:002010-06-19T11:46:37+08:00
It's a combination of RedHat Bugzilla, RedHat Errata, and CentOS mirrors.
First, using the CVE-2010-XXXX visit https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-XXXX. When you see that the issue has been addressed follow that link to the RedHat errata.
Grab the rpm version and head to a CentOS mirror.

For example the latest sudo vulnerability (CVE-2010-1646):

bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1646 (last comment->) rhn.redhat.com/errata/RHSA-2010-0475.html (copy sudo-1.7.2p1-7.el5_5.x86_64.rpm) mirror.cs.vt.edu/pub/CentOS/5/updates/x86_64/RPMS/ (it matches RedHat's errrata)

The samba vuln hasn't been packaged for CentOS and sent upstream as far as I can tell.
5