[CentOS-devel] docker, CVE-2019-13139 and announcements for updates in extras

Fri Jun 4 13:06:55 UTC 2021
Jonathan Billings <billings at negate.org>

On Fri, Jun 04, 2021 at 03:22:09PM +0300, Stefan Puiu wrote:
> For a while now, the tool has been complaining that the version of
> docker we ship is vulnerable to CVE-2019-13139. As far as I can tell,
> we have a version that includes the fix, based on the Red Hat
> advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need
> docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21.

They don't understand that
docker-1.13.1-204.git0be3e21 > docker-1.13.1-104.git4ef4b30 ?

You could point out that CentOS is a rebuild of RHEL so any RHBAs
posted for a particular version of RHEL7 applies to the same version
in CentOS 7.  

> I'm trying to work with the tool vendor to sort this out. As a
> developer, I think checking the code is the best way; I've found the
> Docker RH fork on github, which has a RHEL branch that seems to be
> used in both CentOS and RHEL
> (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel).

https://git.centos.org/rpms/docker/ is where the RPM SPECs, patches
and related files are posted.  For example, the one in Extras is:

https://git.centos.org/rpms/docker/tree/c7-extras and you can see the
commit to import the 104 release here:

https://git.centos.org/rpms/docker/c/bcf506d56383fd92ea5e3516f8950c43f44079eb?branch=c7-extras

You can look at the commit history for the package:
https://git.centos.org/rpms/docker/commits/c7-extras

Interestingly, the r104 looks like it failed automatic debranding, and
it didn't get properly debranded until Johnny Hughes manually did it
in r108.  But I doubt that makes any difference in your issue,
although it might have changed any announcements at the time.

> However, probably the tool people have some kind of different process
> in place. So my question is: is it reasonable to expect any bugfix or
> security update fetched from RHEL to CentOS to come with an
> announcement on the centos-announce mailing list? Is there a filter
> for some packages? I see docker is in extras, not in CentOS-Base,
> maybe updates to those are not announced?

I don't see any posts to any lists during the timeframe that it was
imported and published by CentOS.  I'd honestly like to know if
there's any particular rules for how centos-announce posts get
generated too.  I imagine that now that the Stream releases precede
the RHEL package releases, there might be a different set of rules? 

I tried to find something in the wiki but apparently I searched too
many times and it told me to not search so frequently.  Google didn't
show anything though.

-- 
Jonathan Billings <billings at negate.org>