[CentOS-devel] docker, CVE-2019-13139 and announcements for updates in extras

Fri Jun 4 12:22:09 UTC 2021
Stefan Puiu <stefan.puiu at gmail.com>


We run a CentOS 7-based (actually, CentOS 7 atomic host) image on our
hardware boards. We ran a third party "security scan" that seems to
look at the list of packages in the distro and check if fixes or
advisories have been published for the package versions installed. I
guess they have a database of CentOS / RHEL advisories and can cross
check the versions there.

For a while now, the tool has been complaining that the version of
docker we ship is vulnerable to CVE-2019-13139. As far as I can tell,
we have a version that includes the fix, based on the Red Hat
advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need
docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21. We've tried
to raise this with the tool vendor, but they have asked if we have
"vendor documentation" for that fix being applied. My understanding is
that they mean something like the centos-announce emails announcing
the integration of fixes from RHEL to CentOS, with something like, for
example, RHSA-2021:0617 being labeled as CESA-2021:0617; they said
they couldn't find the corresponding CEBA-2019:3092. Now, I've looked
in the centos-announce list archives since October 2019, when the RH
advisory was published, and didn't find anything related to Docker. I
saw a mention of the CVE in a CentOS bug, though

I'm trying to work with the tool vendor to sort this out. As a
developer, I think checking the code is the best way; I've found the
Docker RH fork on github, which has a RHEL branch that seems to be
used in both CentOS and RHEL
However, probably the tool people have some kind of different process
in place. So my question is: is it reasonable to expect any bugfix or
security update fetched from RHEL to CentOS to come with an
announcement on the centos-announce mailing list? Is there a filter
for some packages? I see docker is in extras, not in CentOS-Base,
maybe updates to those are not announced?