View Issue Details

IDProjectCategoryView StatusLast Update
0017386CentOS-8dnfpublic2020-05-26 23:34
Reporterankitvashistha Assigned To 
Status newResolutionopen 
Summary0017386: CentOS Official Repositories are missing Fixed Vulnerability Packages
DescriptionI am using CentOS:8 image on Docker and have recently got reported about many vulnerable system packages whose fixes are available. Following are the Vulnerability IDs and their fixes in specified versions however, the same are not available in the CentOS repositories. How can i update all these packages. Also, is there any repository which is certified by CentOS which i can use to get the latest version of packages or at-least the versions with vulnerability fixes in them.

CVE - Pkg Name - Fix version
RHSA-2020:1827 - libxml2 - 0:2.9.7-7.el8
RHSA-2020:1792 - curl - 0:7.61.1-12.el8
RHSA-2020:1804 - sudo - 0:1.8.29-5.el8
RHSA-2020:1794 - systemd - 239-29.el8
RHSA-2020:1787 - unzip - 6.0-43.el8
RHSA-2020:1852 - patch - 2.7.6-11.el8
RHSA-2020:1828 - glibc - 2.28-101.el8
RHSA-2020:1840 - openssl - 1.1.1c-15.el8
RHSA-2020:1797 - binutils - 2.30-73.el8
Steps To Reproducednf update -y

and check for fixed versions.
Additional InformationI am using official CentOS repositories to rely on the updates available for fixed vulnerabilities.
Tagsdocker, repo, systemd




2020-05-26 23:34

reporter   ~0036999

RHSA-* is short for "Red Hat Security Advisory", and describes vulnerabilities and fixes in RedHat Enterprise Linux (RHEL).
There is a delay between RHEL patches being released and them landing into CentOS, so there isn't much more to do than to wait, and apply any workarounds/mitigations described in RHSA until then.

Issue History

Date Modified Username Field Change
2020-05-22 10:06 ankitvashistha New Issue
2020-05-22 10:06 ankitvashistha Tag Attached: docker
2020-05-22 10:06 ankitvashistha Tag Attached: repo
2020-05-22 10:06 ankitvashistha Tag Attached: systemd
2020-05-26 23:34 antaln Note Added: 0036999