2017-12-14 09:49 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0014158CentOS-6procmailpublic2017-12-11 08:43
Reporterphade 
PriorityhighSeveritymajorReproducibilityalways
StatusnewResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0014158: procmail bugfix for CVE-2017-168
Descriptionwhen will this bug CVE-2017-168 fixed in procmail for CentOS 6/7 ??
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0030619

tru (administrator)

When Red Hat will publish it, we will build it.
You can search here https://access.redhat.com/security/security-updates/

By the way there is no CVE-2017-168 and CVE-2017-0168 is not related to CentOS at all according to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0168.

~0030621

phade (reporter)

Sorry, meant CVE-2017-16844, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16844

This bug is not even meantioned under the security updates at redhat ...

~0030631

toracat (manager)

It is listed in the RH CVE database but no action has been taken:

https://access.redhat.com/security/cve/cve-2017-16844

As tru mentioned, as soon as this is fixed in RHEL, CentOS will get it.

~0030731

avij (manager)

https://access.redhat.com/security/cve/cve-2017-16844 states that a fix has been released for RHEL 7 (and CentOS 7), but procmail in RHEL 6 (and CentOS 6) has been labeled as "Will not fix".

~0030737

phade (reporter)

CentOS 6.x will received updates until November 2020, right ?
But only if RH 6 will get the fix ?
No backporting ?

RH 6.7 has EUS until end of December 2018

So whats true now ?

~0030738

tru (administrator)

> CentOS 6.x will received updates until November 2020, right ?
yes

> But only if RH 6 will get the fix ?
yes

> No backporting ?

Red Hat decision, otoh, you can try to appeal. But "important" RHSA is not enough since RHEL6 and thus CentOS6 are now in "production phase 3"

<quote https://access.redhat.com/support/policy/updates/errata/>
Production 3 Phase:
During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate. New functionality and new hardware enablement are not planned for availability in the Production 3 Phase. Minor releases with updated installation images may be made available in this Phase.
</quote>

> RH 6.7 has EUS until end of December 2018
RH EUS is a Red Hat commercial product, CentOS does not have access to this EUS sources, thus not supported.
+Notes

-Issue History
Date Modified Username Field Change
2017-11-21 11:37 phade New Issue
2017-11-21 13:29 tru Note Added: 0030619
2017-11-21 14:30 phade Note Added: 0030621
2017-11-22 01:03 toracat Note Added: 0030631
2017-12-09 16:44 avij Note Added: 0030731
2017-12-11 08:20 phade Note Added: 0030737
2017-12-11 08:43 tru Note Added: 0030738
+Issue History