On Wed, Feb 17, 2021 at 8:09 PM Naoto Kobayashi naoto.kobayashi4c@gmail.com wrote:
Dear community,
I would like to ask a following question:
- How are CVEs handled in CentOS Stream? The answer in faq page (https://centos.org/distro-faq) states that security issues will be updated in CentOS Stream after they are solved in the current RHEL release. However, CentOS Steam 8 solved CVE-2020-15437 (kernel) while RHEL 8 has not (as of February 17,2021). Does the order of security updates between RHEL and CentOS Stream depend on the situation?
There's a bit of nuance to this question in that policy states that CVEs
should be fixed in RHEL before CentOS Stream. However, there are a couple of practical problems this introduces that we work around by shipping in CentOS Stream first. For example, we may do a rebase that contains a CVE fix. Everyone universally agrees we don't want Red Hat engineering CVE vulnerabilities back into CentOS Stream that may have been fixed by a rebase. In this scenario, a CVE fix may go out in Stream before a RHEL release.
There are also some scenarios around lower and moderate CVEs where we run into practical issues maintaining a "RHEL" patchset and a "CentOS Stream" patchset. In that scenario a CVE might get fixed in CentOS Stream first.
-Mike
Best regards,
Naoto Kobayashi _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel