Since the announcement of the CentOS Linux 8 EOL date in December, I've noticed there has been confusion about how CVE fixes work in CentOS Stream 8. Recently there have been some CVE fixes for the libxml2 package, and I took the opportunity to examine how these fixes flowed through the Red Hat ecosystem. Here are the relevant CVE identifiers and their CVSS v3 scores.
CVE-2021-3516 - 7.8 [0] CVE-2021-3517 - 8.6 [1] CVE-2021-3518 - 8.6 [2] CVE-2021-3537 - 7.5 [3] CVE-2021-3541 - 6.5 [4]
Here is a timeline of notable events.
2021-05-07 * libxml2-2.9.10-12.fc34 [5] was submitted for Fedora 34, which included fixes for the first four CVEs.
2021-05-10 * libxml2-2.9.10-12.fc34 [5] was released for Fedora 34, fixing the first four CVEs.
2021-05-13 * All five CVE fixes were released upstream as part of version 2.9.11 [6]. * libxml2-2.9.12-1.fc34 [7] was submitted for Fedora 34, which included the fix for the fifth CVE.
2021-05-21 * libxml2-2.9.12-2.fc34 [7] was submitted for Fedora 34, which fixed an unrelated upstream regression [8], but also reset the pending update. * libxml2-2.9.7-11.el8 [9] was released for CentOS Stream 8, fixing all five CVEs. This was a backport update that was unaffected by the upstream regression in 2.9.12.
2021-05-24 * libxml2-2.9.12-2.fc34 [7] was released for Fedora 34, fixing the fifth CVE.
2021-06-29 * libxml2-2.9.7-9.el8_4.2 [10] was released for RHEL 8, fixing all five CVEs. Later that day it was rebuilt [11] and released for CentOS Linux 8. This was a backport update that was unaffected by the upstream regression in 2.9.12.
It's important to note that these CVE fixes were not part of a security embargo [12]. That is why CentOS Stream 8 was able to provide them before RHEL 8. If these fixes had been part of an embargo, they would have been released for RHEL 8 first (once the embargo was lifted), then CentOS Stream 8 and CentOS Linux 8 immediately after.
Another thing I want to point out is that libxml2-2.9.7-11.el8 and libxml2-2.9.7-9.el8_4.2 are effectively identical. They contain the exact same backported CVE fixes. The only difference is the release field. This can be verified in the exported SRPM commits [13][14]. No additional changes were made to the package source between being released for CentOS Stream 8 and being released for RHEL 8.
I hope you enjoyed this deep dive into the lifecycle of these CVE fixes. The key takeaway is that CentOS Stream 8 does get security fixes, and usually gets them much sooner than CentOS Linux 8.
[0] https://access.redhat.com/security/cve/CVE-2021-3516 [1] https://access.redhat.com/security/cve/CVE-2021-3517 [2] https://access.redhat.com/security/cve/CVE-2021-3518 [3] https://access.redhat.com/security/cve/CVE-2021-3537 [4] https://access.redhat.com/security/cve/CVE-2021-3541 [5] https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ed1ba38b [6] https://mail.gnome.org/archives/xml/2021-May/msg00000.html [7] https://bodhi.fedoraproject.org/updates/FEDORA-2021-e8b7e177a4 [8] https://gitlab.gnome.org/GNOME/libxml2/-/issues/255 [9] https://koji.mbox.centos.org/koji/buildinfo?buildID=17568 [10] https://access.redhat.com/errata/RHSA-2021:2569 [11] https://koji.mbox.centos.org/koji/buildinfo?buildID=18244 [12] https://www.redhat.com/en/blog/security-embargoes-red-hat [13] https://git.centos.org/rpms/libxml2/c/6ce3da4b1430e975a40a538aa250775e101e50... [14] https://git.centos.org/rpms/libxml2/c/bc5a009a460cda9e2392f75fff8bf6edae43ec...
On Thu, Jul 1, 2021 at 9:27 PM Carl George carl@redhat.com wrote:
Since the announcement of the CentOS Linux 8 EOL date in December, I've noticed there has been confusion about how CVE fixes work in CentOS Stream 8. Recently there have been some CVE fixes for the libxml2 package, and I took the opportunity to examine how these fixes flowed through the Red Hat ecosystem. Here are the relevant CVE identifiers and their CVSS v3 scores.
CVE-2021-3516 - 7.8 [0] CVE-2021-3517 - 8.6 [1] CVE-2021-3518 - 8.6 [2] CVE-2021-3537 - 7.5 [3] CVE-2021-3541 - 6.5 [4]
Here is a timeline of notable events.
2021-05-07
- libxml2-2.9.10-12.fc34 [5] was submitted for Fedora 34, which
included fixes for the first four CVEs.
2021-05-10
- libxml2-2.9.10-12.fc34 [5] was released for Fedora 34, fixing the
first four CVEs.
2021-05-13
- All five CVE fixes were released upstream as part of version 2.9.11 [6].
- libxml2-2.9.12-1.fc34 [7] was submitted for Fedora 34, which
included the fix for the fifth CVE.
2021-05-21
- libxml2-2.9.12-2.fc34 [7] was submitted for Fedora 34, which fixed
an unrelated upstream regression [8], but also reset the pending update.
- libxml2-2.9.7-11.el8 [9] was released for CentOS Stream 8, fixing
all five CVEs. This was a backport update that was unaffected by the upstream regression in 2.9.12.
2021-05-24
- libxml2-2.9.12-2.fc34 [7] was released for Fedora 34, fixing the fifth CVE.
2021-06-29
- libxml2-2.9.7-9.el8_4.2 [10] was released for RHEL 8, fixing all
five CVEs. Later that day it was rebuilt [11] and released for CentOS Linux 8. This was a backport update that was unaffected by the upstream regression in 2.9.12.
It's important to note that these CVE fixes were not part of a security embargo [12]. That is why CentOS Stream 8 was able to provide them before RHEL 8. If these fixes had been part of an embargo, they would have been released for RHEL 8 first (once the embargo was lifted), then CentOS Stream 8 and CentOS Linux 8 immediately after.
One small addition. They were not part of an embargo, and they were not rated as Critical or Important. Either of those cases often means a CVE will be fixed in RHEL first.
josh
Another thing I want to point out is that libxml2-2.9.7-11.el8 and libxml2-2.9.7-9.el8_4.2 are effectively identical. They contain the exact same backported CVE fixes. The only difference is the release field. This can be verified in the exported SRPM commits [13][14]. No additional changes were made to the package source between being released for CentOS Stream 8 and being released for RHEL 8.
I hope you enjoyed this deep dive into the lifecycle of these CVE fixes. The key takeaway is that CentOS Stream 8 does get security fixes, and usually gets them much sooner than CentOS Linux 8.
[0] https://access.redhat.com/security/cve/CVE-2021-3516 [1] https://access.redhat.com/security/cve/CVE-2021-3517 [2] https://access.redhat.com/security/cve/CVE-2021-3518 [3] https://access.redhat.com/security/cve/CVE-2021-3537 [4] https://access.redhat.com/security/cve/CVE-2021-3541 [5] https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ed1ba38b [6] https://mail.gnome.org/archives/xml/2021-May/msg00000.html [7] https://bodhi.fedoraproject.org/updates/FEDORA-2021-e8b7e177a4 [8] https://gitlab.gnome.org/GNOME/libxml2/-/issues/255 [9] https://koji.mbox.centos.org/koji/buildinfo?buildID=17568 [10] https://access.redhat.com/errata/RHSA-2021:2569 [11] https://koji.mbox.centos.org/koji/buildinfo?buildID=18244 [12] https://www.redhat.com/en/blog/security-embargoes-red-hat [13] https://git.centos.org/rpms/libxml2/c/6ce3da4b1430e975a40a538aa250775e101e50... [14] https://git.centos.org/rpms/libxml2/c/bc5a009a460cda9e2392f75fff8bf6edae43ec...
-- Carl George
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
-
Carl George -
Josh Boyer