Hi,
We run a CentOS 7-based (actually, CentOS 7 atomic host) image on our hardware boards. We ran a third party "security scan" that seems to look at the list of packages in the distro and check if fixes or advisories have been published for the package versions installed. I guess they have a database of CentOS / RHEL advisories and can cross check the versions there.
For a while now, the tool has been complaining that the version of docker we ship is vulnerable to CVE-2019-13139. As far as I can tell, we have a version that includes the fix, based on the Red Hat advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21. We've tried to raise this with the tool vendor, but they have asked if we have "vendor documentation" for that fix being applied. My understanding is that they mean something like the centos-announce emails announcing the integration of fixes from RHEL to CentOS, with something like, for example, RHSA-2021:0617 being labeled as CESA-2021:0617; they said they couldn't find the corresponding CEBA-2019:3092. Now, I've looked in the centos-announce list archives since October 2019, when the RH advisory was published, and didn't find anything related to Docker. I saw a mention of the CVE in a CentOS bug, though (https://bugs.centos.org/view.php?id=16804).
I'm trying to work with the tool vendor to sort this out. As a developer, I think checking the code is the best way; I've found the Docker RH fork on github, which has a RHEL branch that seems to be used in both CentOS and RHEL (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel). However, probably the tool people have some kind of different process in place. So my question is: is it reasonable to expect any bugfix or security update fetched from RHEL to CentOS to come with an announcement on the centos-announce mailing list? Is there a filter for some packages? I see docker is in extras, not in CentOS-Base, maybe updates to those are not announced?
Thanks, Stefan.
On Fri, Jun 04, 2021 at 03:22:09PM +0300, Stefan Puiu wrote:
For a while now, the tool has been complaining that the version of docker we ship is vulnerable to CVE-2019-13139. As far as I can tell, we have a version that includes the fix, based on the Red Hat advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21.
They don't understand that docker-1.13.1-204.git0be3e21 > docker-1.13.1-104.git4ef4b30 ?
You could point out that CentOS is a rebuild of RHEL so any RHBAs posted for a particular version of RHEL7 applies to the same version in CentOS 7.
I'm trying to work with the tool vendor to sort this out. As a developer, I think checking the code is the best way; I've found the Docker RH fork on github, which has a RHEL branch that seems to be used in both CentOS and RHEL (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel).
https://git.centos.org/rpms/docker/ is where the RPM SPECs, patches and related files are posted. For example, the one in Extras is:
https://git.centos.org/rpms/docker/tree/c7-extras and you can see the commit to import the 104 release here:
https://git.centos.org/rpms/docker/c/bcf506d56383fd92ea5e3516f8950c43f44079e...
You can look at the commit history for the package: https://git.centos.org/rpms/docker/commits/c7-extras
Interestingly, the r104 looks like it failed automatic debranding, and it didn't get properly debranded until Johnny Hughes manually did it in r108. But I doubt that makes any difference in your issue, although it might have changed any announcements at the time.
However, probably the tool people have some kind of different process in place. So my question is: is it reasonable to expect any bugfix or security update fetched from RHEL to CentOS to come with an announcement on the centos-announce mailing list? Is there a filter for some packages? I see docker is in extras, not in CentOS-Base, maybe updates to those are not announced?
I don't see any posts to any lists during the timeframe that it was imported and published by CentOS. I'd honestly like to know if there's any particular rules for how centos-announce posts get generated too. I imagine that now that the Stream releases precede the RHEL package releases, there might be a different set of rules?
I tried to find something in the wiki but apparently I searched too many times and it told me to not search so frequently. Google didn't show anything though.
Hi Jonathan,
On Fri, Jun 4, 2021 at 4:07 PM Jonathan Billings billings@negate.org wrote:
On Fri, Jun 04, 2021 at 03:22:09PM +0300, Stefan Puiu wrote:
For a while now, the tool has been complaining that the version of docker we ship is vulnerable to CVE-2019-13139. As far as I can tell, we have a version that includes the fix, based on the Red Hat advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21.
They don't understand that docker-1.13.1-204.git0be3e21 > docker-1.13.1-104.git4ef4b30 ?
You could point out that CentOS is a rebuild of RHEL so any RHBAs posted for a particular version of RHEL7 applies to the same version in CentOS 7.
I pointed both things (the newer version and CentOS being a RHEL rebuild) to them, so far it seems they weren't convinced.
I'm trying to work with the tool vendor to sort this out. As a developer, I think checking the code is the best way; I've found the Docker RH fork on github, which has a RHEL branch that seems to be used in both CentOS and RHEL (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel).
https://git.centos.org/rpms/docker/ is where the RPM SPECs, patches and related files are posted. For example, the one in Extras is:
https://git.centos.org/rpms/docker/tree/c7-extras and you can see the commit to import the 104 release here:
https://git.centos.org/rpms/docker/c/bcf506d56383fd92ea5e3516f8950c43f44079e...
You can look at the commit history for the package: https://git.centos.org/rpms/docker/commits/c7-extras
Interestingly, the r104 looks like it failed automatic debranding, and it didn't get properly debranded until Johnny Hughes manually did it in r108. But I doubt that makes any difference in your issue, although it might have changed any announcements at the time.
I had found the c7-extras branch, I should've probably mentioned that in the first place. It's there that I found the github link; see for example the SPECS/docker.spec change, there is this line:
# docker %global git_docker https://github.com/projectatomic/docker - %global commit_docker 7f2769b9e0572f62730d91e79e674efd59b7e234 + %global commit_docker 4ef4b30c57f05be26c9387ef0828e86c2ed543b8
So I just went to the github link and searched for the new commit. Probably from there (or from the list of branches) I found the RHEL / CentOS branch.
However, probably the tool people have some kind of different process in place. So my question is: is it reasonable to expect any bugfix or security update fetched from RHEL to CentOS to come with an announcement on the centos-announce mailing list? Is there a filter for some packages? I see docker is in extras, not in CentOS-Base, maybe updates to those are not announced?
I don't see any posts to any lists during the timeframe that it was imported and published by CentOS. I'd honestly like to know if there's any particular rules for how centos-announce posts get generated too. I imagine that now that the Stream releases precede the RHEL package releases, there might be a different set of rules?
I tried to find something in the wiki but apparently I searched too many times and it told me to not search so frequently. Google didn't show anything though.
I've downloaded the archives of centos-announce since January 2019 and grepped for 'docker'. I only see multiple announcements for pcp, which includes a pcp-pmda-docker RPM, and a reference to Dockerhub. Nothing about docker itself.
$ zgrep -i docker 20* 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm [...] 2020-May.txt.gz:b6614b82c38dbe8d4de61b81d5d779de7fd13d58c341805dfdb1faa7be86538b pcp-pmda-docker-4.3.2-7.el7_8.x86_64.rpm 2021-March.txt.gz:- We are still in discussions on how to push these properly to Dockerhub.
I also think clarifying the process would help.
Thanks, Stefan.
On 6/4/21 10:17 AM, Stefan Puiu wrote:
Hi Jonathan,
On Fri, Jun 4, 2021 at 4:07 PM Jonathan Billings billings@negate.org wrote:
On Fri, Jun 04, 2021 at 03:22:09PM +0300, Stefan Puiu wrote:
For a while now, the tool has been complaining that the version of docker we ship is vulnerable to CVE-2019-13139. As far as I can tell, we have a version that includes the fix, based on the Red Hat advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21.
They don't understand that docker-1.13.1-204.git0be3e21 > docker-1.13.1-104.git4ef4b30 ?
You could point out that CentOS is a rebuild of RHEL so any RHBAs posted for a particular version of RHEL7 applies to the same version in CentOS 7.
I pointed both things (the newer version and CentOS being a RHEL rebuild) to them, so far it seems they weren't convinced.
I'm trying to work with the tool vendor to sort this out. As a developer, I think checking the code is the best way; I've found the Docker RH fork on github, which has a RHEL branch that seems to be used in both CentOS and RHEL (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel).
https://git.centos.org/rpms/docker/ is where the RPM SPECs, patches and related files are posted. For example, the one in Extras is:
https://git.centos.org/rpms/docker/tree/c7-extras and you can see the commit to import the 104 release here:
https://git.centos.org/rpms/docker/c/bcf506d56383fd92ea5e3516f8950c43f44079e...
You can look at the commit history for the package: https://git.centos.org/rpms/docker/commits/c7-extras
Interestingly, the r104 looks like it failed automatic debranding, and it didn't get properly debranded until Johnny Hughes manually did it in r108. But I doubt that makes any difference in your issue, although it might have changed any announcements at the time.
I had found the c7-extras branch, I should've probably mentioned that in the first place. It's there that I found the github link; see for example the SPECS/docker.spec change, there is this line:
# docker %global git_docker https://github.com/projectatomic/docker
- %global commit_docker 7f2769b9e0572f62730d91e79e674efd59b7e234
- %global commit_docker 4ef4b30c57f05be26c9387ef0828e86c2ed543b8
So I just went to the github link and searched for the new commit. Probably from there (or from the list of branches) I found the RHEL / CentOS branch.
However, probably the tool people have some kind of different process in place. So my question is: is it reasonable to expect any bugfix or security update fetched from RHEL to CentOS to come with an announcement on the centos-announce mailing list? Is there a filter for some packages? I see docker is in extras, not in CentOS-Base, maybe updates to those are not announced?
I don't see any posts to any lists during the timeframe that it was imported and published by CentOS. I'd honestly like to know if there's any particular rules for how centos-announce posts get generated too. I imagine that now that the Stream releases precede the RHEL package releases, there might be a different set of rules?
I tried to find something in the wiki but apparently I searched too many times and it told me to not search so frequently. Google didn't show anything though.
I've downloaded the archives of centos-announce since January 2019 and grepped for 'docker'. I only see multiple announcements for pcp, which includes a pcp-pmda-docker RPM, and a reference to Dockerhub. Nothing about docker itself.
$ zgrep -i docker 20* 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm [...] 2020-May.txt.gz:b6614b82c38dbe8d4de61b81d5d779de7fd13d58c341805dfdb1faa7be86538b pcp-pmda-docker-4.3.2-7.el7_8.x86_64.rpm 2021-March.txt.gz:- We are still in discussions on how to push these properly to Dockerhub.
I also think clarifying the process would help.
I build things as they get pushed to git.centos.org .. obviously some things are more important than others, and extras is less than base .. also we are going through a CentOS Linux 8 release cycle.
We do not announce Extras updates .. only actual OS updates .. on CentOS announce .. and then only for CentOS 7 Linux. So, if something resides in the os/ or updates/ repositories, and if they get announced here:
https://access.redhat.com/errata/#/
Then I announce it. Any other repos, no announcements.
I don't have anything to do with Dockerhub .. someone else will have to answer that.
Hi Johnny,
On Fri, Jun 4, 2021 at 7:12 PM Johnny Hughes johnny@centos.org wrote:
[... snip...]
I've downloaded the archives of centos-announce since January 2019 and grepped for 'docker'. I only see multiple announcements for pcp, which includes a pcp-pmda-docker RPM, and a reference to Dockerhub. Nothing about docker itself.
$ zgrep -i docker 20* 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm 2019-October.txt.gz:db0fdf9b3d888e40a29f021c3200ed40b2be8c05ea27b429783572b3b80ab1ed pcp-pmda-docker-4.3.2-3.el7_7.x86_64.rpm [...] 2020-May.txt.gz:b6614b82c38dbe8d4de61b81d5d779de7fd13d58c341805dfdb1faa7be86538b pcp-pmda-docker-4.3.2-7.el7_8.x86_64.rpm 2021-March.txt.gz:- We are still in discussions on how to push these properly to Dockerhub.
I also think clarifying the process would help.
I build things as they get pushed to git.centos.org .. obviously some things are more important than others, and extras is less than base .. also we are going through a CentOS Linux 8 release cycle.
We do not announce Extras updates .. only actual OS updates .. on CentOS announce .. and then only for CentOS 7 Linux. So, if something resides in the os/ or updates/ repositories, and if they get announced here:
https://access.redhat.com/errata/#/
Then I announce it. Any other repos, no announcements.
Thanks for clearing things up, that makes sense.
I don't have anything to do with Dockerhub .. someone else will have to answer that.
That's just part of an email sent to the list; I think somebody was announcing CentOS stream Docker images. No worries there.
Not sure what's the more advanced way of searching the list archive, I did a more 'manual' search with wget and zgrep.
Stefan.
-
Johnny Hughes -
Jonathan Billings -
Stefan Puiu