[CentOS-devel] re CVE errata in CentOS Stream

Thu Feb 18 03:01:55 UTC 2021
Mike McGrath <mmcgrath at redhat.com>

On Wed, Feb 17, 2021 at 8:09 PM Naoto Kobayashi <naoto.kobayashi4c at gmail.com>
wrote:

> Dear community,
>
> I would like to ask a following question:
>
> - How are CVEs handled in CentOS Stream? The answer in faq
>   page (https://centos.org/distro-faq) states that security
>   issues will be updated in CentOS Stream after they are solved
>   in the current RHEL release. However, CentOS Steam 8 solved
>   CVE-2020-15437 (kernel) while RHEL 8 has not (as of February 17,2021).
>   Does the order of security updates between RHEL and CentOS Stream
>   depend on the situation?
>
> There's a bit of nuance to this question in that policy states that CVEs
should be fixed in RHEL before CentOS Stream.  However, there are a couple
of practical problems this introduces that we work around by shipping in
CentOS Stream first.  For example, we may do a rebase that contains a CVE
fix.  Everyone universally agrees we don't want Red Hat engineering CVE
vulnerabilities back into CentOS Stream that may have been fixed by a
rebase.  In this scenario, a CVE fix may go out in Stream before a RHEL
release.

There are also some scenarios around lower and moderate CVEs where we run
into practical issues maintaining a "RHEL" patchset and a "CentOS Stream"
patchset.  In that scenario a CVE might get fixed in CentOS Stream first.

        -Mike


> Best regards,
> ---
> Naoto Kobayashi
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210217/ba3e8478/attachment-0005.html>