How to check if packages in RHEL-based Linux distributions have been patched for specific CVEs

Curious to know in case your Purple Hat Enterprise Linux-based distribution has been patched towards a particular CVE for a sure put in package deal? Jack Wallen reveals you the way.

Binary code, password vulnerability taking out with tweezers, selective focus

Picture: MyImages_Micha, Getty Photos/iStockphoto

Should-read developer content material

CVEs (Widespread Vulnerabilities and Exposures) are continually being found and patched. When found, it means a brand new safety flaw exists in both an working system or a chunk of software program and must be patched as quickly as potential. Fixing the vulnerabilities, after all, is as much as the builders. Patching these vulnerabilities, nonetheless, is as much as the admin (or person). Factor is, you may not know in case you’re utilizing a chunk of software program that features a number of CVEs.  

How do you uncover this data? Do you must spend hours researching? Not likely. The truth is, all you should know is the CVE you are on the lookout for and the piece of software program it impacts. With these two bits of knowledge in hand, you may shortly uncover if what’s put in in your Purple Hat Enterprise Linux-based distribution accommodates that vulnerability.

I will present you tips on how to do exactly that.

SEE: 40+ open supply and Linux phrases you should know (TechRepublic Premium)

What you may want

The one factor you may must make this work is a operating occasion of an RHEL-based Linux distribution (corresponding to AlmaLinux, Rocky Linux or Fedora Linux). You do not even want a person account with sudo privileges (only a common ol’ person). 

You will have to know which CVE you are on the lookout for. I favor to go over to the official dwelling of CVE listings at You are able to do a fast package-based search to view an entire listing of packages which have related CVEs.

With that OS and CVE prepared, let’s examine for vulnerabilities.

The way to Run a CVE Examine

This is the deal: The CVE examine is kind of easy. We will pipe the changelog output from the rpm command to the grep command to listing any potential CVEs. The syntax of the command is:

rpm -q --changelog PACKAGE | grep CVE

The place PACKAGE is the title of the put in software program to be checked, and CVE is the complete title of the CVE in query. Earlier than we try this, let’s check out the non-piped output of the OpenSSH package deal. Subject the command:

rpm -q --changelog openssh

The output must be an entire itemizing of the changelog for openssh (Determine A). 

Determine A


The whole changelog of the put in model of openssh on Alma Linux.

You would scroll by way of your complete itemizing for the CVE you are on the lookout for, or you would pipe it by way of grep and have the command do the heavy lifting. To illustrate you are on the lookout for CVE-2020-14145, which is described as:

In OpenSSH 7.9, as a consequence of accepting and displaying arbitrary stderr output from the server, a malicious server (or man-in-the-middle attacker) can manipulate the shopper output, for instance, to make use of ANSI management codes to cover extra recordsdata being transferred.

To examine towards that vulnerability, the command could be:

rpm -q --changelog openssh | grep CVE-2020-14145

In the event you see something within the output, it means openssh has been patched towards that vulnerability (Determine B).

Determine B


OpenSSH has been patched towards CVE-2020-14145 in AlmaLinux.

In the event you do not see something within the output, it means openssh has not been patched and you must improve instantly. So long as the builders of openssh have patched the supply and it is obtainable within the distribution repositories, the improve ought to handle the difficulty.

To improve the package deal in query, problem the command (which does require sudo privileges):

sudo dnf improve PACKAGE

The place PACKAGE is the software program in query. As soon as the improve completes, run the CVE examine once more to see if the package deal has been patched for the vulnerability. If not, preserve coming again to the improve, and (hopefully) the software program maintainers will get that problem fastened asap.

And that is all there’s to checking for CVE vulnerabilities within the packages you’ve put in in your RHEL-based Linux distributions.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the newest tech recommendation for enterprise execs from Jack Wallen.

Additionally see

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox