On Fri, Jun 04, 2021 at 03:22:09PM +0300, Stefan Puiu wrote: > For a while now, the tool has been complaining that the version of > docker we ship is vulnerable to CVE-2019-13139. As far as I can tell, > we have a version that includes the fix, based on the Red Hat > advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need > docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21. They don't understand that docker-1.13.1-204.git0be3e21 > docker-1.13.1-104.git4ef4b30 ? You could point out that CentOS is a rebuild of RHEL so any RHBAs posted for a particular version of RHEL7 applies to the same version in CentOS 7. > I'm trying to work with the tool vendor to sort this out. As a > developer, I think checking the code is the best way; I've found the > Docker RH fork on github, which has a RHEL branch that seems to be > used in both CentOS and RHEL > (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel). https://git.centos.org/rpms/docker/ is where the RPM SPECs, patches and related files are posted. For example, the one in Extras is: https://git.centos.org/rpms/docker/tree/c7-extras and you can see the commit to import the 104 release here: https://git.centos.org/rpms/docker/c/bcf506d56383fd92ea5e3516f8950c43f44079eb?branch=c7-extras You can look at the commit history for the package: https://git.centos.org/rpms/docker/commits/c7-extras Interestingly, the r104 looks like it failed automatic debranding, and it didn't get properly debranded until Johnny Hughes manually did it in r108. But I doubt that makes any difference in your issue, although it might have changed any announcements at the time. > However, probably the tool people have some kind of different process > in place. So my question is: is it reasonable to expect any bugfix or > security update fetched from RHEL to CentOS to come with an > announcement on the centos-announce mailing list? Is there a filter > for some packages? I see docker is in extras, not in CentOS-Base, > maybe updates to those are not announced? I don't see any posts to any lists during the timeframe that it was imported and published by CentOS. I'd honestly like to know if there's any particular rules for how centos-announce posts get generated too. I imagine that now that the Stream releases precede the RHEL package releases, there might be a different set of rules? I tried to find something in the wiki but apparently I searched too many times and it told me to not search so frequently. Google didn't show anything though. -- Jonathan Billings <billings at negate.org>