Hi,
We run a CentOS 7-based (actually, CentOS 7 atomic host) image on our hardware boards. We ran a third party "security scan" that seems to look at the list of packages in the distro and check if fixes or advisories have been published for the package versions installed. I guess they have a database of CentOS / RHEL advisories and can cross check the versions there.
For a while now, the tool has been complaining that the version of docker we ship is vulnerable to CVE-2019-13139. As far as I can tell, we have a version that includes the fix, based on the Red Hat advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21. We've tried to raise this with the tool vendor, but they have asked if we have "vendor documentation" for that fix being applied. My understanding is that they mean something like the centos-announce emails announcing the integration of fixes from RHEL to CentOS, with something like, for example, RHSA-2021:0617 being labeled as CESA-2021:0617; they said they couldn't find the corresponding CEBA-2019:3092. Now, I've looked in the centos-announce list archives since October 2019, when the RH advisory was published, and didn't find anything related to Docker. I saw a mention of the CVE in a CentOS bug, though (https://bugs.centos.org/view.php?id=16804).
I'm trying to work with the tool vendor to sort this out. As a developer, I think checking the code is the best way; I've found the Docker RH fork on github, which has a RHEL branch that seems to be used in both CentOS and RHEL (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel). However, probably the tool people have some kind of different process in place. So my question is: is it reasonable to expect any bugfix or security update fetched from RHEL to CentOS to come with an announcement on the centos-announce mailing list? Is there a filter for some packages? I see docker is in extras, not in CentOS-Base, maybe updates to those are not announced?
Thanks, Stefan.