On Wed, Feb 17, 2021 at 8:09 PM Naoto Kobayashi <naoto.kobayashi4c at gmail.com> wrote: > Dear community, > > I would like to ask a following question: > > - How are CVEs handled in CentOS Stream? The answer in faq > page (https://centos.org/distro-faq) states that security > issues will be updated in CentOS Stream after they are solved > in the current RHEL release. However, CentOS Steam 8 solved > CVE-2020-15437 (kernel) while RHEL 8 has not (as of February 17,2021). > Does the order of security updates between RHEL and CentOS Stream > depend on the situation? > > There's a bit of nuance to this question in that policy states that CVEs should be fixed in RHEL before CentOS Stream. However, there are a couple of practical problems this introduces that we work around by shipping in CentOS Stream first. For example, we may do a rebase that contains a CVE fix. Everyone universally agrees we don't want Red Hat engineering CVE vulnerabilities back into CentOS Stream that may have been fixed by a rebase. In this scenario, a CVE fix may go out in Stream before a RHEL release. There are also some scenarios around lower and moderate CVEs where we run into practical issues maintaining a "RHEL" patchset and a "CentOS Stream" patchset. In that scenario a CVE might get fixed in CentOS Stream first. -Mike > Best regards, > --- > Naoto Kobayashi > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > https://lists.centos.org/mailman/listinfo/centos-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210217/ba3e8478/attachment-0004.html>