View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0014681||CentOS-7||nss||public||2018-04-12 04:07||2018-04-12 08:29|
|Target Version||Fixed in Version|
|Summary||0014681: nss security issue is reported|
|Description||We built base image from yum repos. nss security issue was found by open source tool 'Clair'.|
Refer to 'https://coreos.com/blog/vulnerability-analysis-for-containers.html' to know more of 'Clair' tool.
I upload the file with reported issue as attached. From where all nss security issue can be spotted.
Actually this security issue was solved by below fact.
CESA-2017:2832 Important CentOS 7 nss Security Update
CentOS Errata and Security Advisory 2017:2832 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2017:2832
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
We know from above this security issue is solved by ‘nss-3.28.4-12.el7_4.x86_64.rpm’.
But from below logs we know our centos repo source has the version ‘x86_64 3.28.4-8.el7’ .
Below is centos case:
nss x86_64 3.28.4-8.el7 local_drop_repo_os 848 k
nss-pem x86_64 1.0.3-4.el7 local_drop_repo_os 73 k
nss-softokn x86_64 3.28.3-6.el7 local_drop_repo_os 309 k
nss-softokn-freebl x86_64 3.28.3-6.el7 local_drop_repo_os 213 k
nss-sysinit x86_64 3.28.4-8.el7 local_drop_repo_os 59 k
nss-tools x86_64 3.28.4-8.el7 local_drop_repo_os 499 k
nss-util x86_64 3.28.4-3.el7 local_drop_repo_os 73 k
Actually from below site we know it really is.
I think official repo should upgrade the relevant nss* packages to solve this issue.
As known to all, redhat repo don't have this issue because they upgraded relevant nss* packages.
Below is redhat case.
nss x86_64 3.34.0-4.el7 local_drop_repo_base 841 k
nss-pem x86_64 1.0.3-4.el7 local_drop_repo_base 73 k
nss-softokn x86_64 3.34.0-2.el7 local_drop_repo_base 311 k
nss-softokn-freebl x86_64 3.34.0-2.el7 local_drop_repo_base 220 k
nss-sysinit x86_64 3.34.0-4.el7 local_drop_repo_base 61 k
nss-tools x86_64 3.34.0-4.el7 local_drop_repo_base 513 k
nss-util x86_64 3.34.0-2.el7 local_drop_repo_base 78 k
|Steps To Reproduce||build base docker image from centos official yum repos.|
Then scan the built docker image by Clair tool.
this issue was reported.
analysis-centos-base-1.0-latest.html (38,390 bytes)
|Of course, I think other security issues in attached file should also be proceeded by this report.|
|Your local repo is out of date. The current CentOS 7 nss package is already nss-3.28.4-15.el7_4.x86_64 and has this fix. This package was released around the 20th Oct 2017 so has been fixed for some time. The RHEL package versions you list look like they are probably from 7.5 which is in the process of being rebuilt for CentOS and will be released ASAP when that is done. However the currently released package is already a higher version number than the one you list as containing the fix.|
|2018-04-12 04:07||zouyu2001518||New Issue|
|2018-04-12 04:07||zouyu2001518||File Added: analysis-centos-base-1.0-latest.html|
|2018-04-12 04:07||zouyu2001518||Tag Attached: nss|
|2018-04-12 06:33||zouyu2001518||Note Added: 0031606|
|2018-04-12 08:29||TrevorH||Status||new => closed|
|2018-04-12 08:29||TrevorH||Resolution||open => fixed|
|2018-04-12 08:29||TrevorH||Note Added: 0031607|