Dear community,
I would like to ask a following question:
- How are CVEs handled in CentOS Stream? The answer in faq
page (https://centos.org/distro-faq)
states that security
issues will be updated in CentOS Stream after they are solved
in the current RHEL release. However, CentOS Steam 8 solved
CVE-2020-15437 (kernel) while RHEL 8 has not (as of February
17,2021).
Does the order of security updates between RHEL and CentOS
Stream
depend on the situation?
There's a bit of nuance to this question in that policy states that CVEs should be fixed in RHEL before CentOS Stream. However, there are a couple of practical problems this introduces that we work around by shipping in CentOS Stream first. For example, we may do a rebase that contains a CVE fix. Everyone universally agrees we don't want Red Hat engineering CVE vulnerabilities back into CentOS Stream that may have been fixed by a rebase. In this scenario, a CVE fix may go out in Stream before a RHEL release.
There are also some scenarios around lower and moderate CVEs where we run into practical issues maintaining a "RHEL" patchset and a "CentOS Stream" patchset. In that scenario a CVE might get fixed in CentOS Stream first.
-Mike
Best regards,
---
Naoto Kobayashi
CentOS-devel mailing list
CentOS-devel@centos.org
https://lists.centos.org/mailman/listinfo/centos-devel