It’s Been Six Days Since CVD-2021-33909 Was Patched In RHEL, What’s The Holdup For Stream 8?

Home » CentOS » It’s Been Six Days Since CVD-2021-33909 Was Patched In RHEL, What’s The Holdup For Stream 8?
CentOS 5 Comments

This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux distro patched it that day or the day after. That includes Rocky and Alma.

https://access.redhat.com/security/cve/CVE-2021-33909

It’s still not patched six days later in CentOS Stream 8.

This Bugzilla entry makes it clear that when it comes to security, CentOS Stream falls behind RHEL. But this far behind?

https://bugzilla.redhat.com/show_bug.cgi?id75182

This doesn’t make a good argument for Stream being a viable CentOS Linux replacement.

5 thoughts on - It’s Been Six Days Since CVD-2021-33909 Was Patched In RHEL, What’s The Holdup For Stream 8?

  • It’s being worked on. RHEL maintainers can fix things independently in different minor version branches. The fix was applied to the internal 8.4 branch while it was under embargo. It has since been released in RHEL 8.4, which allowed it to be rebuilt in CentOS Linux
    8. CentOS Stream 8 is currently tracking the internal 8.5 branch, which just had the fix merged yesterday, along with many other changes, as kernel-4.18.0-326.el8. That build is going through QA
    now.

  • Carl summarized really well how code moves through RHEL and CentOS
    Stream, and we’re working on making sure we publish a build that has made it through the usual set of RHEL tests. -326 is a possible candidate here. Think about CentOS Stream as the development location for the next-minor release of RHEL.  I’d like to highlight some of the general points related to this discussion:
    – There are certain classes of CVE that we handle differently from normal development work:
    https://CentOS.org/distro-faq/#q4-how-will-cves-be-handled-in-CentOS-stream
    <https://CentOS.org/distro-faq/#q4-how-will-cves-be-handled-in-CentOS-stream>
    – Since these fixes need to go into RHEL first, getting them into the development location (CentOS Stream) represents a separate set of work. 
    – Our intent is to get CVE fixes like this into Stream as soon as they’re available within the guidelines referenced in the FAQ
    In the past updates have gone out quickly, we haven’t artificially held up pushes and we will not do so going forward. We don’t, though, make any forecasts or guarantees about turnaround time, this is to make sure we deliver those fixes correctly. 
    I hope that as we continue rolling out new workflows in CentOS Stream 9, we will be able to provide more direct feedback on patch status at a source code level. Just as a reminder you can view and participate in development happening on Gitlab:
    https://gitlab.com/redhat/CentOS-stream/
    <https://gitlab.com/redhat/CentOS-stream/>
    –Brian