On Tue, Aug 9, 2022 at 11:03 AM Valere Binet <valere.binet at gmail.com> wrote: > > Hi, > > Are the default modules receiving security update? Generally speaking, yes. > Security tools (Tenable) want me to update PHP to 7.4 claiming > 7.2.24-1.module_el8.2.0+313+b04d0a66 has several vulnerabilities per > CESA-2021:4213, CESA-2022:1935. > > Same with containers-common. Tenable wants 1.2.4-1.module_el8.6.0 rather > than 1-23.module_el8.7.0+1106+45480ee0 even though both have the same > 2022-03-16 date in the repo. (CESA-2022:1793, CESA-2022:2143). > > I don't find any centos-announce email mentioning the above CESA. Are the > updates for the modules published separately? Where can I find them? CentOS does not publish CVE metadata. If you are a RHEL customer, we have a suite of approved security scanners that understand how to use the CVE metadata published as part of RHEL. I don't know if Tenable is in that set, but often we find many scanners do not understand that most CVE fixes in CentOS Stream and RHEL are managed via backports instead of version bumps or they don't know how to handle the metadata we publish. josh