[CentOS-devel] Out of date qemu-kvm-ev packages (bug preventing it from being updated?)

Sat Nov 12 07:47:43 UTC 2016
Greg Bailey <gbailey at lxpro.com>

On 11/11/2016 11:20 PM, Peter wrote:
> On 12/11/16 10:02, Mohammed Naser wrote:
>> It seems that the latest released version of qemu-kvm-ev is
>> qemu-kvm-ev-2.3.0-31.el7_2.21.1 based on the following:
>>
>> https://cbs.centos.org/koji/packageinfo?packageID=539
>>
>> However, our systems are refusing to update to that package because
>> qemu-kvm-ev-2.3.0-31.el7.16.1 is installed.  I believe the 16.1 is
>> making it seem that it is newer than 2.21.1 (16 > 2).  As a result,
>> we're unable to update and it seems that the latest package covers 2
>> CVE's, to which this one doesn't.
> No, it sorts properly:
> $ printf '%s\n' 2.3.0-31.el7_2.21.1 2.3.0-31.el7.16.1 | sort -V
> 2.3.0-31.el7.16.1
> 2.3.0-31.el7_2.21.1
>

RPM has a pretty elaborate sorting mechanism it uses when comparing 
versions and releases, which won't always match what "sort -V" thinks.

Using the "rpmdev-vercmp" utility from the rpmdevtools package:

$ rpmdev-vercmp 0 2.3.0 31.el7.16.1 0 2.3.0 31.el7_2.21.1
0:2.3.0-31.el7.16.1 > 0:2.3.0-31.el7_2.21.1

So the installed version appears to be newer than the "el7_2" version.

Following looks to be a fairly good write up of how the version 
comparison works:

http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/

-Greg