View Issue Details

IDProjectCategoryView StatusLast Update
0018485CentOS-7-OTHERpublic2022-07-14 12:57
ReportermeiravImp Assigned To 
PrioritynormalSeveritytweakReproducibilityalways
Status closedResolutionnot fixable 
Product Version7.9.2009 
Summary0018485: Security vulnerabilities on CentOS 7.9 rpms
Description Hi,

I’ve been using Synopsis BlackDuck to scan our product, SecureSphere Database Activity Monitoring, for vulnerabilities in our 3rd party rpms. Our product runs on CentOS 7.9 and BlackDuck has found that 42 rpms provided for this OS have vulnerabilities that Red Hat marks as important and moderate.
I’ve started to contact the vendors of each product behind the rpms and each told me they’ve fixed these issues in later versions than what’s packaged in the rpms available for CentOS 7.9. Some of these vendors include Nettle, OpenLDAP, Glib, Krb5, coreutils and more.

I’m attaching the report provided by BlackDuck
Steps To ReproduceUse the desktop Synopsis Detect on a folder with RPMs for CentOS7.9 downloaded from CentOS mirror
TagsNo tags attached.
abrt_hash
URL

Activities

meiravImp

meiravImp

2022-07-14 12:52

reporter  

ManuelWolfshant

ManuelWolfshant

2022-07-14 12:54

manager   ~0038961

CentOS is a rebuild of the sources used to create RHEL. We do not modify anything except to remove branding and logos. You will need to submit your request to Redhat via bugzilla.redhat.com and if/when RH accepts it and incorporates it into RHEL and releases a patched version, then CentOS will pick it up and rebuild it.
Note that RHEL7 is in maintenance Phase 2 so RH only accepts bugs seen as "important".
TrevorH

TrevorH

2022-07-14 12:57

manager   ~0038962

Please see https://access.redhat.com/security/updates/backporting/ for information on backporting of security fixes and features in CentOS and RHEL. Additionally https://access.redhat.com/solutions/2074 may also be of use.

You cannot make decisions about fixes just by looking at version numbers. Check the rpm changelog - for example, your first entry in that spreadsheet is for CVE-2017-0901 in ruby-libs:
[root@centos7 ~]# rpm -q ruby-libs --changelog | grep CVE-2017-0901
    to overwrite arbitrary files (CVE-2017-0901).
  Resolves: CVE-2017-0901

Fixed.

I am not about to check the other 637 entries in your spreadsheet but they are almost certainly the same.

Issue History

Date Modified Username Field Change
2022-07-14 12:52 meiravImp New Issue
2022-07-14 12:52 meiravImp File Added: vulnerability-status-report.xlsx
2022-07-14 12:54 ManuelWolfshant Status new => closed
2022-07-14 12:54 ManuelWolfshant Resolution open => not fixable
2022-07-14 12:54 ManuelWolfshant Note Added: 0038961
2022-07-14 12:57 TrevorH Note Added: 0038962