Find the answer to your Linux question:
Results 1 to 3 of 3
Hi All, We are using centos 5.8 with wget-1.11.4-2.el5_4.1 and need to upgrade to > 1.12 to address CVE-2010-2252. But from the below redhat link I could see redhat have ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2014
    Posts
    10

    wget vulnerability - CVE-2010-2252


    Hi All,

    We are using centos 5.8 with wget-1.11.4-2.el5_4.1 and need to upgrade to > 1.12 to address CVE-2010-2252.

    But from the below redhat link I could see redhat have no plans to address in centos 5 and they had fixed it in centos 6 only.

    The following is the url,since I have not posted more than 15 threads it not allow me to use http.

    access.redhat.com/security/cve/CVE-2010-2252

    Is it possible to address this vulnerability in centos 5.8 itself without upgrading to centos 6.

    Any help on this will be much appreciated.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,387
    The Red Hat Security Response Team has rated this issue as having low security impact due to the series of events required to successfully exploit it. A future update may address this flaw in Red Hat Enterprise Linux 5.
    As there isnt an updated package yet for rh5, it is safe to assume that redhat probably wont provide any.
    So the answer is: No, currently you cannot address this cve in redhat5.

    But as a paying customer you could open a ticket and politely demand this, as rh5 is still officially supported.
    I have to agree with rh though, that the impact of this cve is fairly low.


    Side topic: Much more critical would be the latest openssl vulnerabiltiy, which was made public yesterday.
    The patches are already available
    https://access.redhat.com/security/cve/CVE-2014-0224
    https://rhn.redhat.com/errata/RHSA-2014-0624.html

    As for centos (thanks kurtdriver):
    Centos recompiles and repackages the upstream sources from redhat (with minor own patches)
    So centos security updates are usually after redhat updates, but still fairly recent.
    Last edited by Irithori; 06-06-2014 at 03:04 PM.
    You must always face the curtain with a bow.

  3. #3
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,533
    Irithori's post is very accurate. That said, you can download the sources for the later version and build it on your system if necessary. That may work, but it may have dependencies on newer base libraries that are not there on your system, which you will probably need to build as well... Kind of a catch-22 situation. I do this upon occasion, but then I am a professional Linux software developer and can deal with this stuff pretty well (usually). An example of this was my need to have a version >= 5.5.4 of PHP for RHEL/CentOS 6.x systems, when the repositories only support 5.3 and earlier. My only recourse was to do a custom build. Works great and let us develop a cell phone emulator in php that would not have been possible with earlier versions.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •