On Fri, Jun 04, 2021 at 03:22:09PM +0300, Stefan Puiu wrote:
For a while now, the tool has been complaining that the version of docker we ship is vulnerable to CVE-2019-13139. As far as I can tell, we have a version that includes the fix, based on the Red Hat advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21.
They don't understand that docker-1.13.1-204.git0be3e21 > docker-1.13.1-104.git4ef4b30 ?
You could point out that CentOS is a rebuild of RHEL so any RHBAs posted for a particular version of RHEL7 applies to the same version in CentOS 7.
I'm trying to work with the tool vendor to sort this out. As a developer, I think checking the code is the best way; I've found the Docker RH fork on github, which has a RHEL branch that seems to be used in both CentOS and RHEL (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel).
https://git.centos.org/rpms/docker/ is where the RPM SPECs, patches and related files are posted. For example, the one in Extras is:
https://git.centos.org/rpms/docker/tree/c7-extras and you can see the commit to import the 104 release here:
https://git.centos.org/rpms/docker/c/bcf506d56383fd92ea5e3516f8950c43f44079e...
You can look at the commit history for the package: https://git.centos.org/rpms/docker/commits/c7-extras
Interestingly, the r104 looks like it failed automatic debranding, and it didn't get properly debranded until Johnny Hughes manually did it in r108. But I doubt that makes any difference in your issue, although it might have changed any announcements at the time.
However, probably the tool people have some kind of different process in place. So my question is: is it reasonable to expect any bugfix or security update fetched from RHEL to CentOS to come with an announcement on the centos-announce mailing list? Is there a filter for some packages? I see docker is in extras, not in CentOS-Base, maybe updates to those are not announced?
I don't see any posts to any lists during the timeframe that it was imported and published by CentOS. I'd honestly like to know if there's any particular rules for how centos-announce posts get generated too. I imagine that now that the Stream releases precede the RHEL package releases, there might be a different set of rules?
I tried to find something in the wiki but apparently I searched too many times and it told me to not search so frequently. Google didn't show anything though.