How can I install nspr 4.25 on CentOS 7?
I'm trying to resolve a security vulnerability - specifically https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17006 . The general solution is to update packages
- nspr-0:4.21.0-1.el7
- nss-0:3.44.0-7.el7_7
- nss-softokn-0:3.44.0-8.el7_7
- nss-softokn-freebl-0:3.44.0-8.el7_7
- nss-sysinit-0:3.44.0-7.el7_7
- nss-tools-0:3.44.0-7.el7_7
- nss-util-0:3.44.0-4.el7_7
So I tried the standard yum update
, but that seems to think that 4.21 is the latest version of nspr, and that's already installed. The vulnerability wasn't fixed until 4.25. I tried Googling around, and at least from the official CentOS sites I found, they also believe 4.21 to be the latest version.
However - rpmfind.net lists both 4.25 and 4.29 versions, e.g. http://fr2.rpmfind.net/linux/RPM/centos/updates/7.9.2009/x86_64/Packages/nspr-4.25.0-2.el7_9.x86_64.html
It seems dicey to me to start resolving security vulnerabilities with rpmfind.net. I don't see how these are signed by official CentOS (or RHEL) authors, so are these safe to just use as-is? Is there a way to validate the author / package release?
What is the "right" way to resolve a vulnerability like this when the OS vendor hasn't released a fix through the package manager?
Solution 1:
The updates you are looking for were released in RHEL 7.9, but CentOS (which is based on RHEL) has not yet updated to 7.9.
If you need early access to it, you can get packages for the next minor CentOS 7 release in the cr
repo.
[root@vmtest-centos7 ~]# yum --enablerepo=cr update nspr nss
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.vexxhost.com
* extras: centos.mirror.vexxhost.com
* updates: centos.mirror.vexxhost.com
Resolving Dependencies
--> Running transaction check
---> Package nspr.x86_64 0:4.21.0-1.el7 will be updated
---> Package nspr.x86_64 0:4.25.0-2.el7_9 will be an update
---> Package nss.x86_64 0:3.44.0-7.el7_7 will be updated
--> Processing Dependency: nss = 3.44.0-7.el7_7 for package: nss-sysinit-3.44.0-7.el7_7.x86_64
--> Processing Dependency: nss(x86-64) = 3.44.0-7.el7_7 for package: nss-tools-3.44.0-7.el7_7.x86_64
---> Package nss.x86_64 0:3.53.1-3.el7_9 will be an update
--> Processing Dependency: nss-util >= 3.53.1-1 for package: nss-3.53.1-3.el7_9.x86_64
--> Processing Dependency: nss-softokn(x86-64) >= 3.53.1-2 for package: nss-3.53.1-3.el7_9.x86_64
--> Running transaction check
---> Package nss-softokn.x86_64 0:3.44.0-8.el7_7 will be updated
---> Package nss-softokn.x86_64 0:3.53.1-6.el7_9 will be an update
--> Processing Dependency: nss-softokn-freebl(x86-64) >= 3.53.1-6.el7_9 for package: nss-softokn-3.53.1-6.el7_9.x86_64
---> Package nss-sysinit.x86_64 0:3.44.0-7.el7_7 will be updated
---> Package nss-sysinit.x86_64 0:3.53.1-3.el7_9 will be an update
---> Package nss-tools.x86_64 0:3.44.0-7.el7_7 will be updated
---> Package nss-tools.x86_64 0:3.53.1-3.el7_9 will be an update
---> Package nss-util.x86_64 0:3.44.0-4.el7_7 will be updated
---> Package nss-util.x86_64 0:3.53.1-1.el7_9 will be an update
--> Running transaction check
---> Package nss-softokn-freebl.x86_64 0:3.44.0-8.el7_7 will be updated
---> Package nss-softokn-freebl.x86_64 0:3.53.1-6.el7_9 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository
Size
================================================================================
Updating:
nspr x86_64 4.25.0-2.el7_9 cr 127 k
nss x86_64 3.53.1-3.el7_9 cr 869 k
Updating for dependencies:
nss-softokn x86_64 3.53.1-6.el7_9 cr 354 k
nss-softokn-freebl x86_64 3.53.1-6.el7_9 cr 322 k
nss-sysinit x86_64 3.53.1-3.el7_9 cr 65 k
nss-tools x86_64 3.53.1-3.el7_9 cr 535 k
nss-util x86_64 3.53.1-1.el7_9 cr 79 k
Transaction Summary
================================================================================
Upgrade 2 Packages (+5 Dependent packages)
Total download size: 2.3 M
Is this ok [y/d/N]: