I'm running RHEL 7.9 64b.
This was a manual Nagios install.
SSL is being used, but otherwise it is a very vanilla install. Nothing altered other than setting up monitoring for hosts.
A Nessus scan is reporting a vulnerability in PostgreSQL 9.2.24 and wants to see at least 9.3.23:
Path : /usr/bin/postgres (via package manager)
Installed version : 9.2.24
Fixed version : 9.3.23
Yum update has been run and shows 9.2.24 as the latest version.
What is the best way to move forward and correct this issue?
Thanks
Nagios xi PostgreSQL 9.2.24 Upgrade
-
DISNEYD
- Posts: 6
- Joined: Thu Aug 15, 2019 2:03 pm
Re: Nagios xi PostgreSQL 9.2.24 Upgrade
I forgot to add that I'm running Nagios xi 5.8.3.
-
gsmith
- Posts: 1253
- Joined: Tue Mar 02, 2021 11:15 am
Re: Nagios xi PostgreSQL 9.2.24 Upgrade
Hi
We here at Nagios Enterprises don't choose which versions of packages such as PHP or Apache to install. Those decisions are made by the operating system vendor. Ie; RHEL or CentOS.
To mitigate security vulnerabilities while avoiding backward compatibility issues, RHEL, and by extension CentOS uses a process known as backporting. Here's how it works: RHEL patches the supported versions of these packages with the security fixes from the newer versions of these packages. For example, they will take the code from say PHP 7.2 and apply the security vulnerability fixes from that version to the shipped version, in the case of RHEL 7, PHP 5.4.16.
https://access.redhat.com/security/updates/backporting
A security audit that checks only the version numbers of installed packages does not take this process into account.
1.Can you find out how Nessus determined you had a vulnerability?
2. Try to find if RedHat/Centos has already patched this vulnerability via backporting?
3. Ask Centos if they will officially support PostgreSQL 9.3.23?
If you get no help with the three points above it might require an upgrade to Centos8 and mysql.
Let me know what you find out please.
Thanks
We here at Nagios Enterprises don't choose which versions of packages such as PHP or Apache to install. Those decisions are made by the operating system vendor. Ie; RHEL or CentOS.
To mitigate security vulnerabilities while avoiding backward compatibility issues, RHEL, and by extension CentOS uses a process known as backporting. Here's how it works: RHEL patches the supported versions of these packages with the security fixes from the newer versions of these packages. For example, they will take the code from say PHP 7.2 and apply the security vulnerability fixes from that version to the shipped version, in the case of RHEL 7, PHP 5.4.16.
https://access.redhat.com/security/updates/backporting
A security audit that checks only the version numbers of installed packages does not take this process into account.
1.Can you find out how Nessus determined you had a vulnerability?
2. Try to find if RedHat/Centos has already patched this vulnerability via backporting?
3. Ask Centos if they will officially support PostgreSQL 9.3.23?
If you get no help with the three points above it might require an upgrade to Centos8 and mysql.
Let me know what you find out please.
Thanks
-
DISNEYD
- Posts: 6
- Joined: Thu Aug 15, 2019 2:03 pm
Re: Nagios xi PostgreSQL 9.2.24 Upgrade
Nessus is just looking at the installed version of PostgreSQL. You may be right on the backporting issue, I'll have to look into that.
I guess the question I really should have asked is: Can I upgrade to PostgreSQL 9.3.23 or newer without breaking Nagios? So far, I have been unable to find any docs on PostgreSQL requirements for Nagios, newest supported version, or any PostgreSQL upgrade documentation as it relates to Nagios.
Thanks
I guess the question I really should have asked is: Can I upgrade to PostgreSQL 9.3.23 or newer without breaking Nagios? So far, I have been unable to find any docs on PostgreSQL requirements for Nagios, newest supported version, or any PostgreSQL upgrade documentation as it relates to Nagios.
Thanks
-
gsmith
- Posts: 1253
- Joined: Tue Mar 02, 2021 11:15 am
Re: Nagios xi PostgreSQL 9.2.24 Upgrade
Hi,
For things like the database and Apache as long as it is approved for use by the OS vendor then we
will support Nagios running on it. Unfortunately it looks like for CentOS 7 PostgreSQL 9.2.24 is the
last supported PostgreSQL version.
Going forward Nagios is using mysql only. It might make sense to make the jump to Centos 8, it
looks like they are supporting postgresql 10.15. Once successfully on CentOS 8 with postgreSQL
you could then migrate to mysql if you like.
Let me know if you need anything else, or if I can close this out.
Thanks
For things like the database and Apache as long as it is approved for use by the OS vendor then we
will support Nagios running on it. Unfortunately it looks like for CentOS 7 PostgreSQL 9.2.24 is the
last supported PostgreSQL version.
Going forward Nagios is using mysql only. It might make sense to make the jump to Centos 8, it
looks like they are supporting postgresql 10.15. Once successfully on CentOS 8 with postgreSQL
you could then migrate to mysql if you like.
Let me know if you need anything else, or if I can close this out.
Thanks
-
DISNEYD
- Posts: 6
- Joined: Thu Aug 15, 2019 2:03 pm
Re: Nagios xi PostgreSQL 9.2.24 Upgrade
Actually, it appears that my install of Nagios wasn't even using PostgreSQL. I'm not sure why it was installed on the server, but my apologies for wasting everyone's time on this.
-
gsmith
- Posts: 1253
- Joined: Tue Mar 02, 2021 11:15 am
Re: Nagios xi PostgreSQL 9.2.24 Upgrade
Hi,
No worries. Glad you don't have that issue to deal with.
Thanks
No worries. Glad you don't have that issue to deal with.
Thanks