![]() So although your package inventory indicates one version, it could very well be updated to the current version. What happens is that patches get backported and the -# reflects the change. In the case of RHEL/Centos, the primary version listed on the package generally does not change at all during the life of the major point system revision. However to your point, if you want to stay in sync of your distribution, you can just wait until a new version is released by the vendor. In fact, I believe that from RHEL/Centos 7.x chrony is the primary network time package provided by default. Maintaining your own build of the latest version is actually more of a security risk because now you have to rebuild it each time there’s a security fix.ĮDIT: Also, please direct your security auditors or anyone telling you to upgrade ntp to the latest version to read Redhat’s discussion of backportsįor stability purposes and quick convergence and time maintence among many hosts, I have been using chrony instead of ntp. Redhat (and subsequently CentOS) backports security fixes to a stable version of a package. For many of them, Redhat says that the ntp package in el7 isn’t even affected.ĭon’t blindly believe the security auditors, most often they’re just folks who got trained to run a tool on a windows computer (you are lucky if they even know about Linux) and parrot the results and have no depth of understanding of how an enterprise Linux OS works. Whoever is telling you that those CVEs aren’t addressed should look at that page too. If you just run “yum update ntp” you will get all the following CVEs addressed. It has all the backported fixes, and CentOS will continue to fix security updates, unlike your build-from-source solution, which will need to be rebuilt each time NTP posts another CVE. ![]() You really should just use the package from CentOS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |