It's been six days since CVD-2021-33909 was patched in RHEL, what's the holdup for Stream 8?
This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux distro patched it that day or the day after. That includes Rocky and Alma.
https://access.redhat.com/security/cve/CVE-2021-33909
It's still not patched six days later in CentOS Stream 8.
This Bugzilla entry makes it clear that when it comes to security, CentOS Stream falls behind RHEL. But this far behind?
https://bugzilla.redhat.com/show_bug.cgi?id=1975182
This doesn't make a good argument for Stream being a viable CentOS Linux replacement.
It's being worked on. RHEL maintainers can fix things independently in different minor version branches. The fix was applied to the internal 8.4 branch while it was under embargo. It has since been released in RHEL 8.4, which allowed it to be rebuilt in CentOS Linux 8. CentOS Stream 8 is currently tracking the internal 8.5 branch, which just had the fix merged yesterday, along with many other changes, as kernel-4.18.0-326.el8. That build is going through QA now. Once completed, it will be exported to git.centos.org and rebuilt in CentOS Stream 8. This is the "inside out" process we've referred to, and we know it's not ideal. CentOS Stream 9 improves on this significantly with RHEL maintainers doing their builds directly in the CentOS project, in the public.
I'll also note this isn't something new. We've been clear that RHEL gets some security fixes first. Typically it's only 1-2 days after RHEL 8 that we'll have the corresponding fix out for CentOS Linux 8 and CentOS Stream 8. No one is happy about how much longer this particular update is taking. The Stream model brings massive changes to the RHEL workflows, so no one should be surprised that there are growing pains.
On Mon, Jul 26, 2021 at 4:02 PM Steven Rosenberg via CentOS centos@centos.org wrote:
This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux distro patched it that day or the day after. That includes Rocky and Alma.
https://access.redhat.com/security/cve/CVE-2021-33909
It's still not patched six days later in CentOS Stream 8.
This Bugzilla entry makes it clear that when it comes to security, CentOS Stream falls behind RHEL. But this far behind?
https://bugzilla.redhat.com/show_bug.cgi?id=1975182
This doesn't make a good argument for Stream being a viable CentOS Linux replacement. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Thank you for the update and your candor on this.
Jul 28, 2021, 9:44 AM by carl@redhat.com:
It's being worked on. RHEL maintainers can fix things independently in different minor version branches. The fix was applied to the internal 8.4 branch while it was under embargo. It has since been released in RHEL 8.4, which allowed it to be rebuilt in CentOS Linux 8. CentOS Stream 8 is currently tracking the internal 8.5 branch, which just had the fix merged yesterday, along with many other changes, as kernel-4.18.0-326.el8. That build is going through QA now. Once completed, it will be exported to git.centos.org and rebuilt in CentOS Stream 8. This is the "inside out" process we've referred to, and we know it's not ideal. CentOS Stream 9 improves on this significantly with RHEL maintainers doing their builds directly in the CentOS project, in the public.
I'll also note this isn't something new. We've been clear that RHEL gets some security fixes first. Typically it's only 1-2 days after RHEL 8 that we'll have the corresponding fix out for CentOS Linux 8 and CentOS Stream 8. No one is happy about how much longer this particular update is taking. The Stream model brings massive changes to the RHEL workflows, so no one should be surprised that there are growing pains.
On Mon, Jul 26, 2021 at 4:02 PM Steven Rosenberg via CentOS centos@centos.org wrote:
This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux distro patched it that day or the day after. That includes Rocky and Alma.
https://access.redhat.com/security/cve/CVE-2021-33909
It's still not patched six days later in CentOS Stream 8.
This Bugzilla entry makes it clear that when it comes to security, CentOS Stream falls behind RHEL. But this far behind?
https://bugzilla.redhat.com/show_bug.cgi?id=1975182
This doesn't make a good argument for Stream being a viable CentOS Linux replacement. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-- Carl George
Carl summarized really well how code moves through RHEL and CentOS Stream, and we’re working on making sure we publish a build that has made it through the usual set of RHEL tests. -326 is a possible candidate here. Think about CentOS Stream as the development location for the next-minor release of RHEL. I’d like to highlight some of the general points related to this discussion: - There are certain classes of CVE that we handle differently from normal development work: https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream - Since these fixes need to go into RHEL first, getting them into the development location (CentOS Stream) represents a separate set of work. - Our intent is to get CVE fixes like this into Stream as soon as they’re available within the guidelines referenced in the FAQ In the past updates have gone out quickly, we haven’t artificially held up pushes and we will not do so going forward. We don’t, though, make any forecasts or guarantees about turnaround time, this is to make sure we deliver those fixes correctly. I hope that as we continue rolling out new workflows in CentOS Stream 9, we will be able to provide more direct feedback on patch status at a source code level. Just as a reminder you can view and participate in development happening on Gitlab: https://gitlab.com/redhat/centos-stream/ https://gitlab.com/redhat/centos-stream/ --Brian
kernel-4.18.0-326.el8 is being pushed to the mirrors now.
On Wed, Jul 28, 2021 at 2:42 PM Brian Stinson bstinson@redhat.com wrote:
Carl summarized really well how code moves through RHEL and CentOS Stream, and we’re working on making sure we publish a build that has made it through the usual set of RHEL tests. -326 is a possible candidate here. Think about CentOS Stream as the development location for the next-minor release of RHEL. I’d like to highlight some of the general points related to this discussion:
- There are certain classes of CVE that we handle differently from
normal development work: https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream
- Since these fixes need to go into RHEL first, getting them into the
development location (CentOS Stream) represents a separate set of work.
- Our intent is to get CVE fixes like this into Stream as soon as
they’re available within the guidelines referenced in the FAQ In the past updates have gone out quickly, we haven’t artificially held up pushes and we will not do so going forward. We don’t, though, make any forecasts or guarantees about turnaround time, this is to make sure we deliver those fixes correctly. I hope that as we continue rolling out new workflows in CentOS Stream 9, we will be able to provide more direct feedback on patch status at a source code level. Just as a reminder you can view and participate in development happening on Gitlab: https://gitlab.com/redhat/centos-stream/ https://gitlab.com/redhat/centos-stream/ --Brian
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Thanks to everybody involved. I did the update this morning.
Jul 28, 2021, 8:18 PM by carl@redhat.com:
kernel-4.18.0-326.el8 is being pushed to the mirrors now.
On Wed, Jul 28, 2021 at 2:42 PM Brian Stinson bstinson@redhat.com wrote:
Carl summarized really well how code moves through RHEL and CentOS Stream, and we’re working on making sure we publish a build that has made it through the usual set of RHEL tests. -326 is a possible candidate here. Think about CentOS Stream as the development location for the next-minor release of RHEL. I’d like to highlight some of the general points related to this discussion:
- There are certain classes of CVE that we handle differently from
normal development work: https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream
- Since these fixes need to go into RHEL first, getting them into the
development location (CentOS Stream) represents a separate set of work.
- Our intent is to get CVE fixes like this into Stream as soon as
they’re available within the guidelines referenced in the FAQ In the past updates have gone out quickly, we haven’t artificially held up pushes and we will not do so going forward. We don’t, though, make any forecasts or guarantees about turnaround time, this is to make sure we deliver those fixes correctly. I hope that as we continue rolling out new workflows in CentOS Stream 9, we will be able to provide more direct feedback on patch status at a source code level. Just as a reminder you can view and participate in development happening on Gitlab: https://gitlab.com/redhat/centos-stream/ https://gitlab.com/redhat/centos-stream/ --Brian
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-- Carl George
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Brian Stinson -
Carl George -
Steven Rosenberg