Find the changelog / security log of a Linux rpm package

by on September 13, 2007 · 1 comment· LAST UPDATED September 13, 2007

in , ,

Here is a little known secret that allows you to view the change log of a package. Using --changelog option you can find out if particular security bug is fixed or not. This is extremely useful option for production boxes.

For example CVE-2007-1864 documents that php has serious buffer overflow in the bundled libxmlrpc library in PHP before v4.4.7, and 5.x before 5.2.2. It has unknown impact and remote attack vectors. Now how do you know if this bug is fixed or not in your installed php version? Simply type the following command:
rpm -q --changelog php
Better use piped out output using less:
rpm -q --changelog php | less
Output:

* Wed Apr 04 2007 Joe Orton  5.1.6-12.el5
- add security fix for CVE-2007-1864, SOAP redirect handling issue,
  FTP CRLF injection issue (#235016)
* Wed Apr 04 2007 Joe Orton  5.1.6-11.el5
- add security fix for CVE-2007-1718 (#235016)
* Tue Apr 03 2007 Joe Orton  5.1.6-9.el5
- add security fix for CVE-2007-1583 (#235016)
- add security fixes for CVE-2007-0455, CVE-2007-1001 (#235036)
* Fri Mar 09 2007 Joe Orton  5.1.6-7.el5
- add security fix for CVE-2007-1285 (#231597)
* Fri Feb 16 2007 Joe Orton  5.1.6-6.el5
- add security fixes for: CVE-2007-0906, CVE-2007-0907,
  CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988 (#229013)
* Tue Dec 19 2006 Joe Orton  5.1.6-5.el5
- fix version for php-zend-abi (#218758)
* Thu Nov 23 2006 Joe Orton  5.1.6-4.el5
- php-xml provides php-domxml (#215656)
- fix php-pdo-abi provide (#214281)
- provide php-zend-abi (#212804)
- don't Obsolete mod_php
- fix PDO sqlite TEXT extraction truncate-by-one (#217033)
- package php{ize,-config} man pages in -devel (#199382)
- change module subpackages to require php-common not php (#177821)
- add security fix for CVE-2006-5465 (#216114)
......
...
.....

Following command look at the kernel package changelog:
rpm -q --changelog kernel|less

This option allows you to view change log w/o visiting vendors / distributions website. The --changelog option only works with rpm based package and distro such as RHEL / CentOS / Fedora / Suse etc. RPM is a very powerful utility and I hope this small tip will save lot of time. For more information read rpm command man page.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 1 comment… read it below or add one }

1 Honzik April 12, 2011 at 4:22 pm

rpm -qi –changelog kernel-2.4.21-63.EL | grep CVE
will list you all CVE fixes which are included in already installed package

If you want to know CVE fixes which brings you new rpm package (not installed yet) run
rpm -qp –changelog kernel-2.4.21-63.EL.i686.rpm | grep CVE

This example is for kernel package.

Reply

Leave a Comment

Tagged as: , , , , ,

Previous post:

Next post: