I have an issue with some servers at work where I have been unable to determine the best course of action to address it based on pre-existing knowledge within my team or web searches. Does anyone have suggestions for the best place to ask RHEL-specific questions? I don’t want to presume that it’s OK to post such nitty-gritty technical questions here.

  • Carl George
    link
    fedilink
    English
    31 year ago

    old versions of modules that come from the Ceph package got flagged by our security scan.

    RHEL uses a practice called backporting, where older versions of software in packages get fixes from newer versions of the software without changing the version. This means that scanners that only check the version number can give you false positives for CVEs that are actually fixed. Is there a specific CVE that your scanner mentions? If so, you can look it up in the Red Hat CVE database and check if the fix has been backported, and which release of the package includes said fix.

    • xapr [he/him]OP
      link
      English
      11 year ago

      Oh, I was not aware of this. This is very useful! I will check it out and post an update later. Thank you!

    • xapr [he/him]OP
      link
      English
      11 year ago

      I checked, and the versions of those modules that are currently installed are way behind what’s provided in the listed Red Hat patch, so it does seem that the updates for this just haven’t been installed. I will try to double-check with Red Hat support to be sure that enabling the Ceph repository is the correct course of action to take. Thank you once again for your help.