0017386: CentOS Official Repositories are missing Fixed Vulnerability Packages

ID	Project	Category	View Status	Date Submitted	Last Update

0017386	CentOS-8	dnf	public	2020-05-22 10:06	2020-05-26 23:34

Reporter	ankitvashistha
Priority	high	Severity	major	Reproducibility	always
Status	new	Resolution	open
Product Version
Target Version		Fixed in Version

Summary	0017386: CentOS Official Repositories are missing Fixed Vulnerability Packages
Description	I am using CentOS:8 image on Docker and have recently got reported about many vulnerable system packages whose fixes are available. Following are the Vulnerability IDs and their fixes in specified versions however, the same are not available in the CentOS repositories. How can i update all these packages. Also, is there any repository which is certified by CentOS which i can use to get the latest version of packages or at-least the versions with vulnerability fixes in them. CVE - Pkg Name - Fix version -------------------------------------------------------------- RHSA-2020:1827 - libxml2 - 0:2.9.7-7.el8 RHSA-2020:1792 - curl - 0:7.61.1-12.el8 RHSA-2020:1804 - sudo - 0:1.8.29-5.el8 RHSA-2020:1794 - systemd - 239-29.el8 RHSA-2020:1787 - unzip - 6.0-43.el8 RHSA-2020:1852 - patch - 2.7.6-11.el8 RHSA-2020:1828 - glibc - 2.28-101.el8 RHSA-2020:1840 - openssl - 1.1.1c-15.el8 RHSA-2020:1797 - binutils - 2.30-73.el8
Steps To Reproduce	dnf update -y and check for fixed versions.
Additional Information	I am using official CentOS repositories to rely on the updates available for fixed vulnerabilities.
Tags	docker, repo, systemd

Date Modified	Username	Field
2020-05-22 10:06	ankitvashistha	New Issue
2020-05-22 10:06	ankitvashistha	Tag Attached: docker
2020-05-22 10:06	ankitvashistha	Tag Attached: repo
2020-05-22 10:06	ankitvashistha	Tag Attached: systemd
2020-05-26 23:34	antaln	Note Added: 0036999

antaln 2020-05-26 23:34 reporter ~0036999	RHSA-* is short for "Red Hat Security Advisory", and describes vulnerabilities and fixes in RedHat Enterprise Linux (RHEL). There is a delay between RHEL patches being released and them landing into CentOS, so there isn't much more to do than to wait, and apply any workarounds/mitigations described in RHSA until then.