It's being worked on. RHEL maintainers can fix things independently in different minor version branches. The fix was applied to the internal 8.4 branch while it was under embargo. It has since been released in RHEL 8.4, which allowed it to be rebuilt in CentOS Linux 8. CentOS Stream 8 is currently tracking the internal 8.5 branch, which just had the fix merged yesterday, along with many other changes, as kernel-4.18.0-326.el8. That build is going through QA now. Once completed, it will be exported to git.centos.org and rebuilt in CentOS Stream 8. This is the "inside out" process we've referred to, and we know it's not ideal. CentOS Stream 9 improves on this significantly with RHEL maintainers doing their builds directly in the CentOS project, in the public.
I'll also note this isn't something new. We've been clear that RHEL gets some security fixes first. Typically it's only 1-2 days after RHEL 8 that we'll have the corresponding fix out for CentOS Linux 8 and CentOS Stream 8. No one is happy about how much longer this particular update is taking. The Stream model brings massive changes to the RHEL workflows, so no one should be surprised that there are growing pains.
On Mon, Jul 26, 2021 at 4:02 PM Steven Rosenberg via CentOS centos@centos.org wrote:
This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux distro patched it that day or the day after. That includes Rocky and Alma.
https://access.redhat.com/security/cve/CVE-2021-33909
It's still not patched six days later in CentOS Stream 8.
This Bugzilla entry makes it clear that when it comes to security, CentOS Stream falls behind RHEL. But this far behind?
https://bugzilla.redhat.com/show_bug.cgi?id=1975182
This doesn't make a good argument for Stream being a viable CentOS Linux replacement. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos