Searching for package updates by relevant Common Vulnerabilities and Exposures (CVE) number

Solution Verified - Updated -

Environment

  • Red Hat Customer Portal

Issue

  • How do I look for package updates by relevant Common Vulnerabilities and Exposures (CVE) numbers?
  • How do I know if a CVE name affects a Red Hat Enterprise Linux package?
  • Where can I find more information about a particular CVE?
  • How do I determine if the installed packages include the CVE fixes?

Resolution

Common Vulnerabilities and Exposures provide standard, vendor-independent names for information security issues (i.e., security vulnerabilities and exposures). CVEs are used in security-related communications such as Red Hat errata, other vendors' security bulletins, and bug tracking systems. System and network administrators are often asked to ensure their systems are patched for a specific CVE. There are a number of ways to tell if a package is affected by or has received a fix for a given CVE:
* Use the Red Hat CVE Database to navigate to or search for a given CVE and see how the MITRE CVE dictionary describes the issue, as well as the Common Vulnerability Scoring System (CVSS) metrics and advisories that fix the issue if applicable.

To look for packages which are affected by a specific CVE:

  1. Search for a particular CVE number in the database.
  2. Validate the security information including impact classification, relevant Bugzilla link, and security errata. You can find this data from the results page.
  3. If available, you can download the package from the Affected Packages State section of the advisory page. You can also use the Package Browser tool to find specific packages.

Note: Not all CVE advisories are fixed by Red Hat errata. In some cases, a newer package may be available. Click the package to verify.

  • Open the errata page in Red Hat Subscription Management (RHSM). Filter by synopsis.

  • Refer to Red Hat Bugzilla if the CVE Database and RHSM do not give enough information about the issue. Bugs for security issues are use the CVE names.

  • The yum-security package (in Red Hat Enterprise Linux 5.1 and later) provides the yum-security yum plug-in so that you can install only security-related updates. For details, refer in the Red Hat Enterprise Linux 6 Deployment Guide.

Learn more about the meaning of CVSS base metrics.

Wherever feasible, Red Hat addresses security issues by backporting. This approach and its impact on package versioning are discussed in the backporting policy in the Red Hat Customer Portal.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments