Red Hat Security Data API

Red Hat has been provided security information since January 2005 through different ways :
RHSA-Announce mailing list, Red Hat CVE database and Red Hat Product Errata

For a better access of their data, the Red Hat Product Security has just released a beta API. It provides more search options for accessing real-time data.

More details can be found in the post below :
Red Hat Security Blog post about their new Security Data API service
RedHat Security Data API

Advertisements

Getting more details about Red Hat Security Advisories and related CVEs

Two links for an in-depth explanation regarding Red Hat backporting security fixes process as well as compatibility between Red Hat security advisories and Mitre CVEs.

Backporting Security Fixes

Red Hat and CVE compatibility

Red Hat provides free access to two databases for errata and for CVE referenced in Red Hat products :

Red Hat Product Errata database

Red Hat CVE Database

How to list the CVEs fixed in a given rpm ?

A quick tip to retrieve the CVEs fixed in a given version of a rpm :


[fool@localhost:~]$ rpm -q --changelog openssl-libs-1.0.1e-51.el7_2.4.x86_64 | grep CVE-2014-3567
- fix CVE-2014-3567 - memory leak when handling session tickets

[fool@localhost:~]$ rpm -q --changelog openssl-libs-1.0.1e-51.el7_2.4.x86_64 | grep CVE-2014-8176
- fix CVE-2014-8176 - invalid free in DTLS buffering code

[fool@localhost:~]$ rpm -q --changelog openssl-libs-1.0.1e-51.el7_2.4.x86_64 | grep CVE-2015-0292
- fix CVE-2015-0292 - integer underflow in base64 decoder

Using the sed utility, all the CVEs fixed can be retrieved.
For the php rpm package :

[fool@localhost:~]$ rpm -q --changelog php |grep 'CVE-201[0-6]-[0-9]\{4\}' |sed -e '1s/^.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/^-.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/^\s*.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/, #[0-9]\{7\}//' |sed -e 's/)//g'

For the openssl rpm package :

[fool@localhost:~]$ rpm -q --changelog openssl |grep 'CVE-201[0-6]-[0-9]\{4\}' |sed -e '1s/^.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/^-.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/^\s*.*\(CVE-201[0-6]-[0-9]\{4\}\)/\1/' -e 's/, #[0-9]\{7\}//' |sed -e 's/)//g' |sed -e 's/(#.*$//g' -e 's/(.*//g' -e 's/\s.*$//g'

Unable to locate an oracle.mk or other suitable *.mk (DBD::Oracle Perl module compilation failed)

To install a working Perl environment to manage remote Oracle databases, you need to install the Oracle Instant Client

To install the Oracle Instant Client version 11.2.3.0 64 bits, download the rpm files as shown below :

root@localhost:~# rpm -i oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64.rpm
root@localhost:~#rpm -i oracle-instantclient11.2-odbc-11.2.0.3.0-1.x86_64.rpm
root@localhost:~#rpm -i oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.x86_64.rpm
root@localhost:~#rpm -i oracle-instantclient11.2-devel-11.2.0.3.0-1.x86_64.rpm

The installation works fine.

To install DBD::Oracle perl module, use CPAN if it is not available from RHEL yum repositories.

root@localhost:~#cpan

cpan[1]> install DBD::Oracle

This command will install the module and the missing dependencies. if the development files of the Oracle Instant Client are not installed (oracle-instantclient11.2-devel-11.2.0.3.0-1.x86_64.rpm not installed), you will have the following error during DBD::Oracle perl compilation :

Unable to locate an oracle.mk or other suitable *.mk
file in your Oracle installation.  (I looked in
/usr/lib/oracle/11.2/client64/rdbms/demo/demo_xe.mk /usr/lib/oracle/11.2/client64/rdbms/lib/oracle.mk /usr/lib/oracle/11.2/client64/rdbms/demo/oracle.mk /usr/lib/oracle/11.2/client64/rdbms/demo/demo_rdbms.mk /usr/lib/oracle/11.2/client64/rdbms/demo/demo_rdbms64.mk /usr/lib/oracle/11.2/client64/rdbms/lib/ins_rdbms.mk /usr/share/oracle/11.2/client64/demo.mk under /usr/lib/oracle/11.2/client64)

The oracle.mk (or demo_rdbms.mk) file is part of the Oracle
RDBMS product.  You need to build DBD::Oracle on a
system which has one of these Oracle components installed.
(Other *.mk files such as the env_*.mk files will not work.)
Alternatively you can use Oracle Instant Client.

In the unlikely event that a suitable *.mk file is installed
somewhere non-standard you can specify where it is using the -m option:
perl Makefile.PL -m /path/to/your.mk

See the appropriate README file for your OS for more information and some alternatives.

at Makefile.PL line 1187.


Deploying VMware tools with Puppet on Linux servers

There are two possible ways to install VMware tools on Linux servers. Either you install them through the VSphere client, either you can automate this task with Puppet. VMware has provided special repositories for all the Linux distribution flavors :  VMware Operating System Specific Packages (OSPs)

Here are the main steps to complete this installation :

->Download the public keys of the VMware OSPs repositories :

rpm –import http://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub

rpm –import http://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-DSA-KEY.pub

->Add a  new repo for YUM in /etc/yum.repos.d/ :

cat /etc/yum.repos.d/vmware-tools.repo
[vmware-tools]
name=VMware Tools
baseurl=http://packages.vmware.com/tools/esx/5.1/rhel6/x86_64
enabled=1
gpgcheck=1

->Fetch the metapackage vmware-tools-esx-nox and it will install all the required dependencies.

Here is now an example of a working Puppet manifest to deploy and install the VMware Tools on Linux servers running RHEL 6.4  :

cat vmwaretools.pp

class vmwaretools {
        exec { “Fetching RSA key”:
        command => “rpm –import http://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub”,
        path => “/sbin:/bin”
        }

        exec { “Fetching DSA key”:
        command => “rpm –import http://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-DSA-KEY.pub”,
        path => “/sbin:/bin”
        }

        exec { “Setting VMWare yum repo” :
        command => “echo -e \”[vmware-tools]\nname=VMware Tools\nbaseurl=http://packages.vmware.com/tools/esx/5.1/rhel6/x86_64\nenabled=1\ngpgcheck=1\” > /etc/yum.repos.d/vmware-tools.repo”,
        path => “/sbin:/bin”
        }

        package { “vmware-tools-esx-nox”:
          ensure => “installed”
        }
}

Do not forget to reload the puppetmaster on the server where it is located :

service puppetmaster reload

More information about VMware OSPs repositories : Read more