[CentOS] It's been six days since CVD-2021-33909 was patched in RHEL, what's the holdup for Stream 8?

Wed Jul 28 17:49:06 UTC 2021
Steven Rosenberg <steven at passthejoe.net>

Thank you for the update and your candor on this.

Jul 28, 2021, 9:44 AM by carl at redhat.com:

> It's being worked on.  RHEL maintainers can fix things independently
> in different minor version branches.  The fix was applied to the
> internal 8.4 branch while it was under embargo.  It has since been
> released in RHEL 8.4, which allowed it to be rebuilt in CentOS Linux
> 8.  CentOS Stream 8 is currently tracking the internal 8.5 branch,
> which just had the fix merged yesterday, along with many other
> changes, as kernel-4.18.0-326.el8.  That build is going through QA
> now.  Once completed, it will be exported to git.centos.org and
> rebuilt in CentOS Stream 8.  This is the "inside out" process we've
> referred to, and we know it's not ideal.  CentOS Stream 9 improves on
> this significantly with RHEL maintainers doing their builds directly
> in the CentOS project, in the public.
>
> I'll also note this isn't something new.  We've been clear that RHEL
> gets some security fixes first.  Typically it's only 1-2 days after
> RHEL 8 that we'll have the corresponding fix out for CentOS Linux 8
> and CentOS Stream 8.  No one is happy about how much longer this
> particular update is taking.  The Stream model brings massive changes
> to the RHEL workflows, so no one should be surprised that there are
> growing pains.
>
> On Mon, Jul 26, 2021 at 4:02 PM Steven Rosenberg via CentOS
> <centos at centos.org> wrote:
>
>>
>> This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux distro patched it that day or the day after. That includes Rocky and Alma.
>>
>> https://access.redhat.com/security/cve/CVE-2021-33909
>>
>> It's still not patched six days later in CentOS Stream 8.
>>
>> This Bugzilla entry makes it clear that when it comes to security, CentOS Stream falls behind RHEL. But this far behind?
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1975182
>>
>> This doesn't make a good argument for Stream being a viable CentOS Linux replacement.
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
>
> -- 
> Carl George
>