So there is no way to automatically compare RHEL and CentOS rpms. Why CentOS can't user versions like "10.3.17-1.module+el8.1.0+3974+90eded8-cento+257+48736ea"? They would be both consistent with rhel and have all needed hashes. пн, 16 мар. 2020 г. в 17:37, Stephen John Smoogen <smooge at gmail.com>: > On Mon, 16 Mar 2020 at 12:17, koka miptpatriot <miptpatriot at gmail.com> > wrote: > > > Hello > > > > Clair vulnerability scanner considers the latest version of CentOS > mariadb > > vulnerable, because of RHSA-2019:3708 > > It states, that mariadb must be updated at least to the version > > "10.3.17-1.module+el8.1.0+3974+90eded84". CentOS' last version is > > "10.3.17-1.module_el8.1.0+257+48736ea6". Rpm/yum considers CentOS' > version > > older, than RHEL's. > > > > % rpmdev-vercmp 3:10.3.17-1.module_el8.1.0+257+48736ea6 > 3:10.3.17-1.module+ > > el8.1.0+3974+90eded84 > > 3:10.3.17-1.module_el8.1.0+257+48736ea6 < > 3:10.3.17-1.module+el8.1.0+3974+ > > 90eded84 > > > > That's why Clair considers it's vulnerable. Is there any way to fix it? > > > > > The issue is that you can not get equivalent versions of CentOS modules to > Red Hat modules because the MBS versioning system uses some sort of hash to > separate builds apart. You also can not compare CentOS to Red Hat > Enterprise Linux packages using rpmdev-vercmp but have to do your own > auditing to see if they are equivalent. > > > > > -- > > skype: miptpatriot > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > > > -- > Stephen J Smoogen. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- skype: miptpatriot