On Thu, Jul 1, 2021 at 9:27 PM Carl George <carl at redhat.com> wrote: > > Since the announcement of the CentOS Linux 8 EOL date in December, > I've noticed there has been confusion about how CVE fixes work in > CentOS Stream 8. Recently there have been some CVE fixes for the > libxml2 package, and I took the opportunity to examine how these fixes > flowed through the Red Hat ecosystem. Here are the relevant CVE > identifiers and their CVSS v3 scores. > > CVE-2021-3516 - 7.8 [0] > CVE-2021-3517 - 8.6 [1] > CVE-2021-3518 - 8.6 [2] > CVE-2021-3537 - 7.5 [3] > CVE-2021-3541 - 6.5 [4] > > Here is a timeline of notable events. > > 2021-05-07 > * libxml2-2.9.10-12.fc34 [5] was submitted for Fedora 34, which > included fixes for the first four CVEs. > > 2021-05-10 > * libxml2-2.9.10-12.fc34 [5] was released for Fedora 34, fixing the > first four CVEs. > > 2021-05-13 > * All five CVE fixes were released upstream as part of version 2.9.11 [6]. > * libxml2-2.9.12-1.fc34 [7] was submitted for Fedora 34, which > included the fix for the fifth CVE. > > 2021-05-21 > * libxml2-2.9.12-2.fc34 [7] was submitted for Fedora 34, which fixed > an unrelated upstream regression [8], but also reset the pending > update. > * libxml2-2.9.7-11.el8 [9] was released for CentOS Stream 8, fixing > all five CVEs. This was a backport update that was unaffected by the > upstream regression in 2.9.12. > > 2021-05-24 > * libxml2-2.9.12-2.fc34 [7] was released for Fedora 34, fixing the fifth CVE. > > 2021-06-29 > * libxml2-2.9.7-9.el8_4.2 [10] was released for RHEL 8, fixing all > five CVEs. Later that day it was rebuilt [11] and released for CentOS > Linux 8. This was a backport update that was unaffected by the > upstream regression in 2.9.12. > > > It's important to note that these CVE fixes were not part of a > security embargo [12]. That is why CentOS Stream 8 was able to > provide them before RHEL 8. If these fixes had been part of an > embargo, they would have been released for RHEL 8 first (once the > embargo was lifted), then CentOS Stream 8 and CentOS Linux 8 > immediately after. One small addition. They were not part of an embargo, and they were not rated as Critical or Important. Either of those cases often means a CVE will be fixed in RHEL first. josh > Another thing I want to point out is that libxml2-2.9.7-11.el8 and > libxml2-2.9.7-9.el8_4.2 are effectively identical. They contain the > exact same backported CVE fixes. The only difference is the release > field. This can be verified in the exported SRPM commits [13][14]. > No additional changes were made to the package source between being > released for CentOS Stream 8 and being released for RHEL 8. > > I hope you enjoyed this deep dive into the lifecycle of these CVE > fixes. The key takeaway is that CentOS Stream 8 does get security > fixes, and usually gets them much sooner than CentOS Linux 8. > > > [0] https://access.redhat.com/security/cve/CVE-2021-3516 > [1] https://access.redhat.com/security/cve/CVE-2021-3517 > [2] https://access.redhat.com/security/cve/CVE-2021-3518 > [3] https://access.redhat.com/security/cve/CVE-2021-3537 > [4] https://access.redhat.com/security/cve/CVE-2021-3541 > [5] https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ed1ba38b > [6] https://mail.gnome.org/archives/xml/2021-May/msg00000.html > [7] https://bodhi.fedoraproject.org/updates/FEDORA-2021-e8b7e177a4 > [8] https://gitlab.gnome.org/GNOME/libxml2/-/issues/255 > [9] https://koji.mbox.centos.org/koji/buildinfo?buildID=17568 > [10] https://access.redhat.com/errata/RHSA-2021:2569 > [11] https://koji.mbox.centos.org/koji/buildinfo?buildID=18244 > [12] https://www.redhat.com/en/blog/security-embargoes-red-hat > [13] https://git.centos.org/rpms/libxml2/c/6ce3da4b1430e975a40a538aa250775e101e500b?branch=c8s > [14] https://git.centos.org/rpms/libxml2/c/bc5a009a460cda9e2392f75fff8bf6edae43ec3d?branch=c8 > > -- > Carl George > > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > https://lists.centos.org/mailman/listinfo/centos-devel