View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0018351 | CentOS-7 | xstream | public | 2021-11-12 17:28 | 2021-11-15 18:00 |
Reporter | makashu | Assigned To | |||
Priority | urgent | Severity | major | Reproducibility | always |
Status | new | Resolution | open | ||
Platform | x86_64 | OS | 3.10.0-1160.45.1.el7.x86_64 | OS Version | 7.9.2009 |
Product Version | 7.9.2009 | ||||
Summary | 0018351: XStream Arbitrary Code Execution And Multiple vulnerabilities | ||||
Description | The current CentOS 7 version 7.9.2009(Kernel version: 3.10.0-1160.45.1.el7.x86_64) does not seems to have the latest fix in version 1.4.18 for the XStream library. The XStream version available on CentOS 7 is xstream-1.3.1. This has been reported by Built-in Qualys vulnerability assessment on the Virtual Machine with CentOS 7 version with a CVSS base score( v2.0: 9.3, v3.0: 9.9) As per the Remediation step, it points to https://x-stream.github.io/security.html which needs latest version i.e. 1.4.18 for the XStream library. Currently it seems that version 1.4.18 is available only for CentOS 8 at https://centos.pkgs.org/8/epel-x86_64/xstream-1.4.18-3.el8.noarch.rpm.html Can I please request that security fix in 1.4.18 for XStream is available for CentOS 7 as well? | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | |||||
The package changelog lists the following that have been patched this year: * Tue Jun 08 2021 Marian Koncek <mkoncek@redhat.com> - 1.3.1-14 - Fix remote code execution vulnerability - Resolves: CVE-2021-29505 * Tue Apr 13 2021 Marian Koncek <mkoncek@redhat.com> - 1.3.1-13 - Fix remote code execution vulnerability - Resolves: CVE-2021-21344 - Resolves: CVE-2021-21345 - Resolves: CVE-2021-21346 - Resolves: CVE-2021-21347 - Resolves: CVE-2021-21350 |
|
Thanks but the vulnerability is been reported for the following CVEs: CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154 CVE-2021-29505 CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 CVE-2020-26258 CVE-2020-26259 CVE-2020-26217 CVE-2017-7957 CVE-2016-3674 CVE-2013-7285 |
|
You will need to report this to Red Hat via bugzilla.redhat.com to get anything fixed. CentOS only rebuilds what RH make available for RHEL 7. You should probably check the CVE status on their CVE pages for each one in that list to see what they say about each one. For example, the oldest in the list is https://access.redhat.com/security/cve/CVE-2013-7285 and says it is unaffected for RHEL 7. | |
Hi @TrevorH - Thanks for your inputs, I have created https://bugzilla.redhat.com/show_bug.cgi?id=2023445 to track the bug for RHEL 7 | |