RedHatOfficial
I have list of package names with version (e.g., glibc-2.12-1.209.el6_9.1) and I need to see CVE present for this or not
First, if you're keeping your RHEL system up-to-date with the latest packages provided by Red Hat and it's just one package you're interested in, I would recommend checking this answer in the readme:
That example could be used verbatim for RHEL6 to see if there are any outstanding CVEs for the latest version of glibc.
On the other hand, if you have a list of package names of specific versions, you would be better off just using yum on the system in question.
yum yum yum
On the following test machine, I have an old version of glibc, and you can see that I'm registered, because a newer version is available.
[root@zz73 ~]# yum list glibc
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
Installed Packages
glibc.x86_64 2.17-157.el7 @anaconda/7.3
Available Packages
glibc.i686 2.17-196.el7 rhel-7-server-rpms
glibc.x86_64 2.17-196.el7 rhel-7-server-rpms
Of course, in a perfect world, I would just update, but ...
To check for available security-specific fixes
[root@zz73 ~]# yum updateinfo security package glibc
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
RHSA-2017:1481 Important/Sec. glibc-2.17-157.el7_3.4.x86_64
RHSA-2017:1916 Moderate/Sec. glibc-2.17-196.el7.x86_64
updateinfo list done
That shows me that YES there the latest version of glibc available does include some security fixes of severity moderate or less. Drop the trailing package glibc to see all available security updates. Can also do yum list updates --security or yum update --security.
To see CVEs specifically
[root@zz73 ~]# yum updateinfo cves package glibc
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
CVE-2017-1000366 Important/Sec. glibc-2.17-157.el7_3.4.x86_64
CVE-2014-9761 Moderate/Sec. glibc-2.17-196.el7.x86_64
CVE-2015-8776 Moderate/Sec. glibc-2.17-196.el7.x86_64
CVE-2015-8777 Moderate/Sec. glibc-2.17-196.el7.x86_64
CVE-2015-8778 Moderate/Sec. glibc-2.17-196.el7.x86_64
CVE-2015-8779 Moderate/Sec. glibc-2.17-196.el7.x86_64
updateinfo list done
This tells me that upgrading to v157.el7_3.4 will fix one CVE, and upgrading to the latest v196 will fix 5 additional CVEs.
To see one specific CVE
[root@zz73 ~]# yum updateinfo info updates --cve CVE-2016-3075
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
updateinfo info done
That tells me that the CVE in question is already patched by my installed version. To be sure, I can do:
[root@zz73 ~]# yum updateinfo info installed --cve CVE-2016-3075
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
===============================================================================
Low: glibc security, bug fix, and enhancement update
===============================================================================
Update ID : RHSA-2016:2573
Release : 0
Type : security
Status : final
Issued : 2016-11-03 06:07:14 UTC
Updated : 2016-11-03 06:07:23 UTC Bugs : 971416 - Locale alias no_NO.ISO-8859-1 not working.
: 1027348 - sem_post/sem_wait race causing sem_post to return EINVAL
: 1064063 - Test suite failure: tst-mqueue5
: 1099235 - CVE-2015-5277 glibc: nss_files doesn't detect ERANGE problems correctly [rhel-7.3]
: 1140250 - Unexpected results from using posix_fallocate with nfs target
: 1211100 - ld.so crash when audit modules provide path
: 1211823 - iconv: missing support for HKSCS-2008 in BIG5-HKSCS in rhel7 glibc
: 1249102 - "monstartup: out of memory" on PPC64LE
: 1255822 - glibc: malloc may fall back to calling mmap prematurely if arenas are contended
: 1276631 - glibc: hide backtrace from tst-malloc-backtrace
: 1276753 - malloc: arena free list can become cyclic, increasing contention
: 1293976 - CVE-2015-5229 glibc: calloc() returns non-zero'ed memory [rhel-7.3.0]
: 1298354 - Backport test-skeleton.c conversions.
: 1305406 - invalid fastbin entry (free), missing glibc patch
: 1320596 - glibc: NULL pointer dereference in stub resolver with unconnectable name server addresses
: 1321866 - CVE-2016-3075 glibc: Stack overflow in nss_dns_getnetbyname_r
: 1335629 - aarch64: MINSIGSTKSZ is (much) too small
: 1335925 - glibc: Fix aarch64 ABI issues
: 1346397 - glibc: debug/tst-longjump_chk2 calls printf from a signal handler
CVEs : CVE-2016-3075
Description : The glibc packages provide the standard C libraries (libc),
: POSIX thread libraries (libpthread), standard math
: libraries (libm), and the name service cache
: daemon (nscd) used by multiple programs on the
: system. Without these libraries, the Linux system
: cannot function correctly.
:
: Security Fix(es):
:
: * A stack overflow vulnerability was found in
: _nss_dns_getnetbyname_r. On systems with
: nsswitch configured to include "networks: dns"
: with a privileged or network-facing service that
: would attempt to resolve user-provided network
: names, an attacker could provide an excessively
: long network name, resulting in stack corruption
: and code execution. (CVE-2016-3075)
:
: This issue was discovered by Florian Weimer (Red
: Hat).
:
: Additional Changes:
:
: For detailed information on changes in this
: release, see the Red Hat Enterprise Linux 7.3
: Release Notes linked from the References section.
Severity : Low
updateinfo info done