How can I install nspr 4.25 on CentOS 7?

I'm trying to resolve a security vulnerability - specifically https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17006 . The general solution is to update packages

  • nspr-0:4.21.0-1.el7
  • nss-0:3.44.0-7.el7_7
  • nss-softokn-0:3.44.0-8.el7_7
  • nss-softokn-freebl-0:3.44.0-8.el7_7
  • nss-sysinit-0:3.44.0-7.el7_7
  • nss-tools-0:3.44.0-7.el7_7
  • nss-util-0:3.44.0-4.el7_7

So I tried the standard yum update, but that seems to think that 4.21 is the latest version of nspr, and that's already installed. The vulnerability wasn't fixed until 4.25. I tried Googling around, and at least from the official CentOS sites I found, they also believe 4.21 to be the latest version.

However - rpmfind.net lists both 4.25 and 4.29 versions, e.g. http://fr2.rpmfind.net/linux/RPM/centos/updates/7.9.2009/x86_64/Packages/nspr-4.25.0-2.el7_9.x86_64.html

It seems dicey to me to start resolving security vulnerabilities with rpmfind.net. I don't see how these are signed by official CentOS (or RHEL) authors, so are these safe to just use as-is? Is there a way to validate the author / package release?

What is the "right" way to resolve a vulnerability like this when the OS vendor hasn't released a fix through the package manager?


Solution 1:

The updates you are looking for were released in RHEL 7.9, but CentOS (which is based on RHEL) has not yet updated to 7.9.

If you need early access to it, you can get packages for the next minor CentOS 7 release in the cr repo.

[root@vmtest-centos7 ~]# yum --enablerepo=cr update nspr nss
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.mirror.vexxhost.com
 * extras: centos.mirror.vexxhost.com
 * updates: centos.mirror.vexxhost.com
Resolving Dependencies
--> Running transaction check
---> Package nspr.x86_64 0:4.21.0-1.el7 will be updated
---> Package nspr.x86_64 0:4.25.0-2.el7_9 will be an update
---> Package nss.x86_64 0:3.44.0-7.el7_7 will be updated
--> Processing Dependency: nss = 3.44.0-7.el7_7 for package: nss-sysinit-3.44.0-7.el7_7.x86_64
--> Processing Dependency: nss(x86-64) = 3.44.0-7.el7_7 for package: nss-tools-3.44.0-7.el7_7.x86_64
---> Package nss.x86_64 0:3.53.1-3.el7_9 will be an update
--> Processing Dependency: nss-util >= 3.53.1-1 for package: nss-3.53.1-3.el7_9.x86_64
--> Processing Dependency: nss-softokn(x86-64) >= 3.53.1-2 for package: nss-3.53.1-3.el7_9.x86_64
--> Running transaction check
---> Package nss-softokn.x86_64 0:3.44.0-8.el7_7 will be updated
---> Package nss-softokn.x86_64 0:3.53.1-6.el7_9 will be an update
--> Processing Dependency: nss-softokn-freebl(x86-64) >= 3.53.1-6.el7_9 for package: nss-softokn-3.53.1-6.el7_9.x86_64
---> Package nss-sysinit.x86_64 0:3.44.0-7.el7_7 will be updated
---> Package nss-sysinit.x86_64 0:3.53.1-3.el7_9 will be an update
---> Package nss-tools.x86_64 0:3.44.0-7.el7_7 will be updated
---> Package nss-tools.x86_64 0:3.53.1-3.el7_9 will be an update
---> Package nss-util.x86_64 0:3.44.0-4.el7_7 will be updated
---> Package nss-util.x86_64 0:3.53.1-1.el7_9 will be an update
--> Running transaction check
---> Package nss-softokn-freebl.x86_64 0:3.44.0-8.el7_7 will be updated
---> Package nss-softokn-freebl.x86_64 0:3.53.1-6.el7_9 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                   Arch          Version                Repository
                                                                           Size
================================================================================
Updating:
 nspr                      x86_64        4.25.0-2.el7_9         cr        127 k
 nss                       x86_64        3.53.1-3.el7_9         cr        869 k
Updating for dependencies:
 nss-softokn               x86_64        3.53.1-6.el7_9         cr        354 k
 nss-softokn-freebl        x86_64        3.53.1-6.el7_9         cr        322 k
 nss-sysinit               x86_64        3.53.1-3.el7_9         cr         65 k
 nss-tools                 x86_64        3.53.1-3.el7_9         cr        535 k
 nss-util                  x86_64        3.53.1-1.el7_9         cr         79 k

Transaction Summary
================================================================================
Upgrade  2 Packages (+5 Dependent packages)

Total download size: 2.3 M
Is this ok [y/d/N]: