Hi,
Are the default modules receiving security update?
Security tools (Tenable) want me to update PHP to 7.4 claiming 7.2.24-1.module_el8.2.0+313+b04d0a66 has several vulnerabilities per CESA-2021:4213, CESA-2022:1935.
Same with containers-common. Tenable wants 1.2.4-1.module_el8.6.0 rather than 1-23.module_el8.7.0+1106+45480ee0 even though both have the same 2022-03-16 date in the repo. (CESA-2022:1793, CESA-2022:2143).
I don't find any centos-announce email mentioning the above CESA. Are the updates for the modules published separately? Where can I find them?
Thank you in advance for your answers,
Valère Binet
On Tue, Aug 9, 2022 at 11:03 AM Valere Binet valere.binet@gmail.com wrote:
Hi,
Are the default modules receiving security update?
Generally speaking, yes.
Security tools (Tenable) want me to update PHP to 7.4 claiming 7.2.24-1.module_el8.2.0+313+b04d0a66 has several vulnerabilities per CESA-2021:4213, CESA-2022:1935.
Same with containers-common. Tenable wants 1.2.4-1.module_el8.6.0 rather than 1-23.module_el8.7.0+1106+45480ee0 even though both have the same 2022-03-16 date in the repo. (CESA-2022:1793, CESA-2022:2143).
I don't find any centos-announce email mentioning the above CESA. Are the updates for the modules published separately? Where can I find them?
CentOS does not publish CVE metadata.
If you are a RHEL customer, we have a suite of approved security scanners that understand how to use the CVE metadata published as part of RHEL. I don't know if Tenable is in that set, but often we find many scanners do not understand that most CVE fixes in CentOS Stream and RHEL are managed via backports instead of version bumps or they don't know how to handle the metadata we publish.
josh
Am 09.08.22 um 17:03 schrieb Valere Binet:
Hi,
Are the default modules receiving security update?
Security tools (Tenable) want me to update PHP to 7.4 claiming 7.2.24-1.module_el8.2.0+313+b04d0a66 has several vulnerabilities per CESA-2021:4213, CESA-2022:1935.
Same with containers-common. Tenable wants 1.2.4-1.module_el8.6.0 rather than 1-23.module_el8.7.0+1106+45480ee0 even though both have the same 2022-03-16 date in the repo. (CESA-2022:1793, CESA-2022:2143).
I don't find any centos-announce email mentioning the above CESA. Are the updates for the modules published separately? Where can I find them?
JFI: https://lists.centos.org/pipermail/centos-devel/2020-October/117840.html
If your security tool is looking for a NAME-VERSION-RELEASE of a RHEL package that is part of a module, this will always fail on a CentOS system.
-- Leon
-
Josh Boyer -
Leon Fauster -
Valere Binet