From brian at reidbusiness.ca Wed Mar 7 18:17:02 2018 From: brian at reidbusiness.ca (Brian Haines) Date: Wed, 7 Mar 2018 14:17:02 -0400 Subject: [scl.org] PHP Security Updates Message-ID: I was wondering, what is an appropriate period to wait for security updates to php versions in the software collection? The following article got my attention: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-023/ I am using multiple versions of scl php on a server of mine and I can't really use scl if only vulnerable versions of php are available. Is the best solution to use the remi repo to get secure software collections versions of php? From josep.moscardo at embl.de Thu Mar 8 08:15:36 2018 From: josep.moscardo at embl.de (=?UTF-8?Q?Josep_Manel_Andr=c3=a9s_Moscard=c3=b3?=) Date: Thu, 8 Mar 2018 09:15:36 +0100 Subject: [scl.org] PHP Security Updates In-Reply-To: References: Message-ID: Hi, Referring to http://mirror.centos.org/centos/7/sclo/x86_64/rh/rh-php56/ I see the last update was latest 2016, and checking the latest php 5.6 available on php.net I can see an update from last week. So, is this what you are talking about? ..... I didn't notice.... On 07/03/18 19:17, Brian Haines wrote: > I was wondering, what is an appropriate period to wait for security > updates to php versions in the software collection? > > The following article got my attention: > https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-023/ > > > I am using multiple versions of scl php on a server of mine and I > can't really use scl if only vulnerable versions of php are available. > > Is the best solution to use the remi repo to get secure software > collections versions of php? > > _______________________________________________ > SCLorg mailing list > SCLorg at redhat.com > https://www.redhat.com/mailman/listinfo/sclorg -- Josep Manel Andr?s Moscard? Systems Engineer, IT Operations EMBL Heidelberg T +49 6221 387-8394 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5396 bytes Desc: S/MIME Cryptographic Signature URL: From Souvignier at itc.rwth-aachen.de Thu Mar 8 08:28:59 2018 From: Souvignier at itc.rwth-aachen.de (Souvignier, Daniel) Date: Thu, 8 Mar 2018 08:28:59 +0000 Subject: [scl.org] PHP Security Updates In-Reply-To: References: Message-ID: Hi, I've got exactly the same problem. I'm currently in the process of installing new webservers and decided to use only php software collections from remi repo because the official ones won't get updated frequently enough to be safe. So yes, this seems to be the only option for now until the CentOS SCL team decides to do automated update builds of their SCLs. Regards, Daniel -- Daniel Souvignier IT Center Gruppe: Linux-basierte Anwendungen Abteilung: Systeme und Betrieb RWTH Aachen University Seffenter Weg 23 52074 Aachen Tel.: +49 241 80-29267 souvignier at itc.rwth-aachen.de www.itc.rwth-aachen.de -----Original Message----- From: sclorg-bounces at redhat.com [mailto:sclorg-bounces at redhat.com] On Behalf Of Josep Manel Andr?s Moscard? Sent: Thursday, March 8, 2018 9:16 AM To: sclorg at redhat.com Subject: Re: [scl.org] PHP Security Updates Hi, Referring to http://mirror.centos.org/centos/7/sclo/x86_64/rh/rh-php56/ I see the last update was latest 2016, and checking the latest php 5.6 available on php.net I can see an update from last week. So, is this what you are talking about? ..... I didn't notice.... On 07/03/18 19:17, Brian Haines wrote: > I was wondering, what is an appropriate period to wait for security > updates to php versions in the software collection? > > The following article got my attention: > https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-co > uld-allow-for-arbitrary-code-execution_2018-023/ > > > I am using multiple versions of scl php on a server of mine and I > can't really use scl if only vulnerable versions of php are available. > > Is the best solution to use the remi repo to get secure software > collections versions of php? > > _______________________________________________ > SCLorg mailing list > SCLorg at redhat.com > https://www.redhat.com/mailman/listinfo/sclorg -- Josep Manel Andr?s Moscard? Systems Engineer, IT Operations EMBL Heidelberg T +49 6221 387-8394 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5893 bytes Desc: not available URL: From dev at matthias-bastian.de Wed Mar 21 12:58:19 2018 From: dev at matthias-bastian.de (Matthias Bastian) Date: Wed, 21 Mar 2018 12:58:19 -0000 Subject: [scl.org] Outdated package rh-python36 (2.0-1.el7)? Message-ID: <0D9F8883-ADE7-4F3A-9DED-9E70B0F5D042@matthias-bastian.de> Hi, I am somewhat confused by the content of python36 in version 2.0-1.el7 from centos-sclo-rh. I am experiencing a bug similar to https://bugzilla.redhat.com/show_bug.cgi?id=1497342 . The page says the bug was fixed in python-3.6.3-3.el7 python-3.6.3-3.el6. This version numbering seems to relate to another repo. I found a python36 package matching this version in epel, installed it and saw everything working. However, this is not because the bug in the patched version of hashlib (https://github.com/fedora-python/python36/blob/master/00146-hashlib-fips.patch ) was fixed but because an unpatched version of hashlib is installed when using the epel package. In the linked repo's epel7 branch this patch has been removed. python36 from centos-sclo-rh still ships the buggy patch. Is this intentional? Cheers, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From frankpintojr at yahoo.com Fri Mar 23 18:23:36 2018 From: frankpintojr at yahoo.com (Frank Pinto) Date: Fri, 23 Mar 2018 18:23:36 -0000 Subject: [scl.org] sclorg/mongodb-container References: <846688620.6062053.1521829404383.ref@mail.yahoo.com> Message-ID: <846688620.6062053.1521829404383@mail.yahoo.com> Hello,I was wondering will you all ever include a RHEL/CentOS MongoDB 3.7 container image into the SCL? -------------- next part -------------- An HTML attachment was scrubbed... URL: