How can I install nspr 4.25 on CentOS 7?

DrTeeth asked:

I’m trying to resolve a security vulnerability – specifically . The general solution is to update packages

  • nspr-0:4.21.0-1.el7
  • nss-0:3.44.0-7.el7_7
  • nss-softokn-0:3.44.0-8.el7_7
  • nss-softokn-freebl-0:3.44.0-8.el7_7
  • nss-sysinit-0:3.44.0-7.el7_7
  • nss-tools-0:3.44.0-7.el7_7
  • nss-util-0:3.44.0-4.el7_7

So I tried the standard yum update, but that seems to think that 4.21 is the latest version of nspr, and that’s already installed. The vulnerability wasn’t fixed until 4.25. I tried Googling around, and at least from the official CentOS sites I found, they also believe 4.21 to be the latest version.

However – lists both 4.25 and 4.29 versions, e.g.

It seems dicey to me to start resolving security vulnerabilities with I don’t see how these are signed by official CentOS (or RHEL) authors, so are these safe to just use as-is? Is there a way to validate the author / package release?

What is the "right" way to resolve a vulnerability like this when the OS vendor hasn’t released a fix through the package manager?

My answer:

The updates you are looking for were released in RHEL 7.9, but CentOS (which is based on RHEL) has not yet updated to 7.9.

If you need early access to it, you can get packages for the next minor CentOS 7 release in the cr repo.

[[email protected] ~]# yum --enablerepo=cr update nspr nss
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base:
 * extras:
 * updates:
Resolving Dependencies
--> Running transaction check
---> Package nspr.x86_64 0:4.21.0-1.el7 will be updated
---> Package nspr.x86_64 0:4.25.0-2.el7_9 will be an update
---> Package nss.x86_64 0:3.44.0-7.el7_7 will be updated
--> Processing Dependency: nss = 3.44.0-7.el7_7 for package: nss-sysinit-3.44.0-7.el7_7.x86_64
--> Processing Dependency: nss(x86-64) = 3.44.0-7.el7_7 for package: nss-tools-3.44.0-7.el7_7.x86_64
---> Package nss.x86_64 0:3.53.1-3.el7_9 will be an update
--> Processing Dependency: nss-util >= 3.53.1-1 for package: nss-3.53.1-3.el7_9.x86_64
--> Processing Dependency: nss-softokn(x86-64) >= 3.53.1-2 for package: nss-3.53.1-3.el7_9.x86_64
--> Running transaction check
---> Package nss-softokn.x86_64 0:3.44.0-8.el7_7 will be updated
---> Package nss-softokn.x86_64 0:3.53.1-6.el7_9 will be an update
--> Processing Dependency: nss-softokn-freebl(x86-64) >= 3.53.1-6.el7_9 for package: nss-softokn-3.53.1-6.el7_9.x86_64
---> Package nss-sysinit.x86_64 0:3.44.0-7.el7_7 will be updated
---> Package nss-sysinit.x86_64 0:3.53.1-3.el7_9 will be an update
---> Package nss-tools.x86_64 0:3.44.0-7.el7_7 will be updated
---> Package nss-tools.x86_64 0:3.53.1-3.el7_9 will be an update
---> Package nss-util.x86_64 0:3.44.0-4.el7_7 will be updated
---> Package nss-util.x86_64 0:3.53.1-1.el7_9 will be an update
--> Running transaction check
---> Package nss-softokn-freebl.x86_64 0:3.44.0-8.el7_7 will be updated
---> Package nss-softokn-freebl.x86_64 0:3.53.1-6.el7_9 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

 Package                   Arch          Version                Repository
 nspr                      x86_64        4.25.0-2.el7_9         cr        127 k
 nss                       x86_64        3.53.1-3.el7_9         cr        869 k
Updating for dependencies:
 nss-softokn               x86_64        3.53.1-6.el7_9         cr        354 k
 nss-softokn-freebl        x86_64        3.53.1-6.el7_9         cr        322 k
 nss-sysinit               x86_64        3.53.1-3.el7_9         cr         65 k
 nss-tools                 x86_64        3.53.1-3.el7_9         cr        535 k
 nss-util                  x86_64        3.53.1-1.el7_9         cr         79 k

Transaction Summary
Upgrade  2 Packages (+5 Dependent packages)

Total download size: 2.3 M
Is this ok [y/d/N]: 

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.