Hello
Clair vulnerability scanner considers the latest version of CentOS mariadb vulnerable, because of RHSA-2019:3708 It states, that mariadb must be updated at least to the version "10.3.17-1.module+el8.1.0+3974+90eded84". CentOS' last version is "10.3.17-1.module_el8.1.0+257+48736ea6". Rpm/yum considers CentOS' version older, than RHEL's.
% rpmdev-vercmp 3:10.3.17-1.module_el8.1.0+257+48736ea6 3:10.3.17-1.module+ el8.1.0+3974+90eded84 3:10.3.17-1.module_el8.1.0+257+48736ea6 < 3:10.3.17-1.module+el8.1.0+3974+ 90eded84
That's why Clair considers it's vulnerable. Is there any way to fix it?
On Mon, 16 Mar 2020 at 12:17, koka miptpatriot miptpatriot@gmail.com wrote:
Hello
Clair vulnerability scanner considers the latest version of CentOS mariadb vulnerable, because of RHSA-2019:3708 It states, that mariadb must be updated at least to the version "10.3.17-1.module+el8.1.0+3974+90eded84". CentOS' last version is "10.3.17-1.module_el8.1.0+257+48736ea6". Rpm/yum considers CentOS' version older, than RHEL's.
% rpmdev-vercmp 3:10.3.17-1.module_el8.1.0+257+48736ea6 3:10.3.17-1.module+ el8.1.0+3974+90eded84 3:10.3.17-1.module_el8.1.0+257+48736ea6 < 3:10.3.17-1.module+el8.1.0+3974+ 90eded84
That's why Clair considers it's vulnerable. Is there any way to fix it?
The issue is that you can not get equivalent versions of CentOS modules to Red Hat modules because the MBS versioning system uses some sort of hash to separate builds apart. You also can not compare CentOS to Red Hat Enterprise Linux packages using rpmdev-vercmp but have to do your own auditing to see if they are equivalent.
-- skype: miptpatriot _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
So there is no way to automatically compare RHEL and CentOS rpms.
Why CentOS can't user versions like "10.3.17-1.module+el8.1.0+3974+90eded8-cento+257+48736ea"? They would be both consistent with rhel and have all needed hashes.
пн, 16 мар. 2020 г. в 17:37, Stephen John Smoogen smooge@gmail.com:
On Mon, 16 Mar 2020 at 12:17, koka miptpatriot miptpatriot@gmail.com wrote:
Hello
Clair vulnerability scanner considers the latest version of CentOS
mariadb
vulnerable, because of RHSA-2019:3708 It states, that mariadb must be updated at least to the version "10.3.17-1.module+el8.1.0+3974+90eded84". CentOS' last version is "10.3.17-1.module_el8.1.0+257+48736ea6". Rpm/yum considers CentOS'
version
older, than RHEL's.
% rpmdev-vercmp 3:10.3.17-1.module_el8.1.0+257+48736ea6
3:10.3.17-1.module+
el8.1.0+3974+90eded84 3:10.3.17-1.module_el8.1.0+257+48736ea6 <
3:10.3.17-1.module+el8.1.0+3974+
90eded84
That's why Clair considers it's vulnerable. Is there any way to fix it?
The issue is that you can not get equivalent versions of CentOS modules to Red Hat modules because the MBS versioning system uses some sort of hash to separate builds apart. You also can not compare CentOS to Red Hat Enterprise Linux packages using rpmdev-vercmp but have to do your own auditing to see if they are equivalent.
-- skype: miptpatriot _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-- Stephen J Smoogen. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
koka miptpatriot -
Stephen John Smoogen