View Issue Details

IDProjectCategoryView StatusLast Update
0014158CentOS-6procmailpublic2017-12-11 08:43
Reporterphade 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0014158: procmail bugfix for CVE-2017-168
Descriptionwhen will this bug CVE-2017-168 fixed in procmail for CentOS 6/7 ??
TagsNo tags attached.

Activities

tru

tru

2017-11-21 13:29

administrator   ~0030619

When Red Hat will publish it, we will build it.
You can search here https://access.redhat.com/security/security-updates/

By the way there is no CVE-2017-168 and CVE-2017-0168 is not related to CentOS at all according to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0168.
phade

phade

2017-11-21 14:30

reporter   ~0030621

Sorry, meant CVE-2017-16844, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16844

This bug is not even meantioned under the security updates at redhat ...
toracat

toracat

2017-11-22 01:03

manager   ~0030631

It is listed in the RH CVE database but no action has been taken:

https://access.redhat.com/security/cve/cve-2017-16844

As tru mentioned, as soon as this is fixed in RHEL, CentOS will get it.
avij

avij

2017-12-09 16:44

manager   ~0030731

https://access.redhat.com/security/cve/cve-2017-16844 states that a fix has been released for RHEL 7 (and CentOS 7), but procmail in RHEL 6 (and CentOS 6) has been labeled as "Will not fix".
phade

phade

2017-12-11 08:20

reporter   ~0030737

CentOS 6.x will received updates until November 2020, right ?
But only if RH 6 will get the fix ?
No backporting ?

RH 6.7 has EUS until end of December 2018

So whats true now ?
tru

tru

2017-12-11 08:43

administrator   ~0030738

> CentOS 6.x will received updates until November 2020, right ?
yes

> But only if RH 6 will get the fix ?
yes

> No backporting ?

Red Hat decision, otoh, you can try to appeal. But "important" RHSA is not enough since RHEL6 and thus CentOS6 are now in "production phase 3"

<quote https://access.redhat.com/support/policy/updates/errata/>
Production 3 Phase:
During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. Other errata advisories may be delivered as appropriate. New functionality and new hardware enablement are not planned for availability in the Production 3 Phase. Minor releases with updated installation images may be made available in this Phase.
</quote>

> RH 6.7 has EUS until end of December 2018
RH EUS is a Red Hat commercial product, CentOS does not have access to this EUS sources, thus not supported.

Issue History

Date Modified Username Field Change
2017-11-21 11:37 phade New Issue
2017-11-21 13:29 tru Note Added: 0030619
2017-11-21 14:30 phade Note Added: 0030621
2017-11-22 01:03 toracat Note Added: 0030631
2017-12-09 16:44 avij Note Added: 0030731
2017-12-11 08:20 phade Note Added: 0030737
2017-12-11 08:43 tru Note Added: 0030738