Hello Red Hat Team, We are working on surfacing CVEs from customer machines to our admin portal and wanted to clarify the correct approach for CentOS Stream. Since CentOS Stream 8, 9, and 10 do not have separate CVE advisories published, is there any official or recommended way to programmatically extract security advisories or CVE data applicable to CentOS Stream - 8, 9, 10? If not, is mapping advisories from the corresponding RHEL versions the only supported method for identifying applicable CVEs?
Any guidance or documentation reference would be greatly appreciated.
Thank you!
Hi Jindal, Thanks for reaching out! For CentOS Stream 8, 9, and 10, the best approach is indeed to reference the corresponding RHEL advisories, as CentOS Stream follows RHEL closely. You can programmatically track RHEL CVEs to stay updated. Let me know if you need help with specific tools or APIs!
* lura:
Thanks for reaching out! For CentOS Stream 8, 9, and 10, the best approach is indeed to reference the corresponding RHEL advisories, as CentOS Stream follows RHEL closely. You can programmatically track RHEL CVEs to stay updated. Let me know if you need help with specific tools or APIs!
And don't forget to review that your use of Red Hat CVE data meets with the licensing terms that Red Hat publishes here:
https://www.redhat.com/en/about/terms-use
Thanks, Florian
On Mon, Aug 4, 2025 at 7:40 AM Florian Weimer via devel < devel@lists.centos.org> wrote:
- lura:
Thanks for reaching out! For CentOS Stream 8, 9, and 10, the best approach is indeed to reference the corresponding RHEL advisories, as CentOS Stream follows RHEL closely. You can programmatically track RHEL CVEs to stay updated. Let me know if you need help with specific tools or APIs!
And don't forget to review that your use of Red Hat CVE data meets with the licensing terms that Red Hat publishes here:
Yep, and the data itself is licensed CC-BY-4.0. There's also some examples of the data api: https://docs.redhat.com/en/documentation/red_hat_security_data_api/1.0/html-...
There's some implementations from others to reference, too: https://github.com/resf/distro-tools/tree/main/apollo and I think AlmaLinux has one in their build system.
--Neil
Thanks, Florian
devel mailing list -- devel@lists.centos.org To unsubscribe send an email to devel-leave@lists.centos.org
Hi Lura, Florian, Neil,
When referencing RHEL advisories for CentOS Stream, wouldn’t this occasionally result in false positives? For example: - In some cases, CentOS Stream might already have the fix (patch applied) while the corresponding RHEL release is still vulnerable. - Conversely, for high-severity issues, patches may reach RHEL first, leaving CentOS Stream temporarily vulnerable.
How should such cases be handled? Additionally, is there any plan to publish dedicated security advisories for CentOS Stream in the future?
Thanks, Vishnu Priya
On Tue, Aug 5, 2025 at 2:18 AM vjindal--- via devel devel@lists.centos.org wrote:
Is there any plan to publish dedicated security advisories for CentOS Stream in the future?
Officially, no. CentOS Stream will not officially publish security advisories. This is a question that has been asked several times (externally and internally). It has always had the same, hard answer.
Thanks for the replies. Just wanted to understand - what about the edge cases that I mentioned - is there any way to handle those or is the only option for getting CentOS Stream security advisories is to follow RHEL?
On Wed, Aug 6, 2025 at 12:00 AM vjindal--- via devel devel@lists.centos.org wrote:
Thanks for the replies. Just wanted to understand - what about the edge cases that I mentioned - is there any way to handle those or is the only option for getting CentOS Stream security advisories is to follow RHEL?
I'm not sure what you mean by an edge cases mentioned. The only thing I see is you asking about CVE's not being updated at the same time for CentOS Stream and RHEL. That's not an edge case, that's life. Even if a RHEL developer tried to release an update at the same time on both RHEL and CS, it would be very hard because they both release at different cadences.
But, I'm not really an expert on the CVE stuff, so I don't have much to contribute to the discussion. I just wanted to let you know about the official policy.