View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0018485||CentOS-7||-OTHER||public||2022-07-14 12:52||2022-07-14 12:57|
|Summary||0018485: Security vulnerabilities on CentOS 7.9 rpms|
I’ve been using Synopsis BlackDuck to scan our product, SecureSphere Database Activity Monitoring, for vulnerabilities in our 3rd party rpms. Our product runs on CentOS 7.9 and BlackDuck has found that 42 rpms provided for this OS have vulnerabilities that Red Hat marks as important and moderate.
I’ve started to contact the vendors of each product behind the rpms and each told me they’ve fixed these issues in later versions than what’s packaged in the rpms available for CentOS 7.9. Some of these vendors include Nettle, OpenLDAP, Glib, Krb5, coreutils and more.
I’m attaching the report provided by BlackDuck
|Steps To Reproduce||Use the desktop Synopsis Detect on a folder with RPMs for CentOS7.9 downloaded from CentOS mirror|
|Tags||No tags attached.|
vulnerability-status-report.xlsx (121,732 bytes)
CentOS is a rebuild of the sources used to create RHEL. We do not modify anything except to remove branding and logos. You will need to submit your request to Redhat via bugzilla.redhat.com and if/when RH accepts it and incorporates it into RHEL and releases a patched version, then CentOS will pick it up and rebuild it.
Note that RHEL7 is in maintenance Phase 2 so RH only accepts bugs seen as "important".
Please see https://access.redhat.com/security/updates/backporting/ for information on backporting of security fixes and features in CentOS and RHEL. Additionally https://access.redhat.com/solutions/2074 may also be of use.
You cannot make decisions about fixes just by looking at version numbers. Check the rpm changelog - for example, your first entry in that spreadsheet is for CVE-2017-0901 in ruby-libs:
[root@centos7 ~]# rpm -q ruby-libs --changelog | grep CVE-2017-0901
to overwrite arbitrary files (CVE-2017-0901).
I am not about to check the other 637 entries in your spreadsheet but they are almost certainly the same.
|2022-07-14 12:52||meiravImp||New Issue|
|2022-07-14 12:52||meiravImp||File Added: vulnerability-status-report.xlsx|
|2022-07-14 12:54||ManuelWolfshant||Status||new => closed|
|2022-07-14 12:54||ManuelWolfshant||Resolution||open => not fixable|
|2022-07-14 12:54||ManuelWolfshant||Note Added: 0038961|
|2022-07-14 12:57||TrevorH||Note Added: 0038962|