Results 1 to 3 of 3
Hi All, We are using centos 5.8 with wget-1.11.4-2.el5_4.1 and need to upgrade to > 1.12 to address CVE-2010-2252. But from the below redhat link I could see redhat have ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 06-06-2014 #1
- Join Date
- May 2014
wget vulnerability - CVE-2010-2252
We are using centos 5.8 with wget-1.11.4-2.el5_4.1 and need to upgrade to > 1.12 to address CVE-2010-2252.
But from the below redhat link I could see redhat have no plans to address in centos 5 and they had fixed it in centos 6 only.
The following is the url,since I have not posted more than 15 threads it not allow me to use http.
Is it possible to address this vulnerability in centos 5.8 itself without upgrading to centos 6.
Any help on this will be much appreciated.
- 06-06-2014 #2The Red Hat Security Response Team has rated this issue as having low security impact due to the series of events required to successfully exploit it. A future update may address this flaw in Red Hat Enterprise Linux 5.
So the answer is: No, currently you cannot address this cve in redhat5.
But as a paying customer you could open a ticket and politely demand this, as rh5 is still officially supported.
I have to agree with rh though, that the impact of this cve is fairly low.
Side topic: Much more critical would be the latest openssl vulnerabiltiy, which was made public yesterday.
The patches are already available
As for centos (thanks kurtdriver):
Centos recompiles and repackages the upstream sources from redhat (with minor own patches)
So centos security updates are usually after redhat updates, but still fairly recent.
Last edited by Irithori; 06-06-2014 at 03:04 PM.You must always face the curtain with a bow.
- 06-12-2014 #3
- Join Date
- Apr 2009
- I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
Irithori's post is very accurate. That said, you can download the sources for the later version and build it on your system if necessary. That may work, but it may have dependencies on newer base libraries that are not there on your system, which you will probably need to build as well... Kind of a catch-22 situation. I do this upon occasion, but then I am a professional Linux software developer and can deal with this stuff pretty well (usually). An example of this was my need to have a version >= 5.5.4 of PHP for RHEL/CentOS 6.x systems, when the repositories only support 5.3 and earlier. My only recourse was to do a custom build. Works great and let us develop a cell phone emulator in php that would not have been possible with earlier versions.Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!