Episode #2 - RPM Changelog

Loading the player...

About Episode - Duration: 3 minutes, Published: 2013-05-04

In this episode we will learn how to query and review rpm package information and the changelog history. This can be very helpful in determining whether a bug or CVE security issue has been fixed in a given rpm package.

Download: mp4 or webm

Get notified about future content via the mailing list, follow @jweissig_ on Twitter for episode updates, or use the RSS feed.

Links, Code, and Transcript

In this episode, we are going to review the rpm changelog for the httpd package. Why would we want to do this? Maybe we are bumping up against a bug, and want to see if it is patched, or maybe we went through a security audit, and we want to verify our version of httpd is patched against a particular bug or security issue. Before we take a look at the change log, lets take a look at the rpm package information.

rpm --query --info httpd

As you can see, version 2.2.15 is installed, and it is the 26th revision. What this means, is that even through we are running an older version of httpd, it is regularly getting patched for recent bugs and security issues. Alright, lets take a look at the changelog.

rpm --query --changelog httpd | less

As we scroll down you can see revisions, the date it was released, and the revision number, along with the issues fixed in that revision.

Take this block for example, in February 2012, 2.2.15 revision 16 was released. There were some security issues fixed, these are the CVE numbers, and the Redhat Bugzilla numbers. Or take revision 15 on October 2011, you can see that a security issue was addressed.

Actually, lets take a look at that number, we will just fire it into Google, and take a look at the CVE information. This brings up the vulnerability advisory with a description of the issue, version affected, and hopefully some mitigation suggestions.

Lets flip back to the changelog and look at the Bugzilla id. Same steps, head over to Google, type in Redhat Bugzilla, and the id number, and it should pull it up. As you can see the version affected, severity, how to reproduce the issue. You can also check out the episode notes below for link to the CVE number and the Bugzilla ID, just the get the urls and the website.

rpm --query --changelog httpd | grep CVE-2012-2687
rpm --query --changelog httpd | grep 876923

I typically interact with the changlog by piping the output to grep, then I can search for the CVE or Bugzilla ids, something like this.