Modules Maintenance
Hi,
Are the default modules receiving security update?
Security tools (Tenable) want me to update PHP to 7.4 claiming
7.2.24-1.module_el8.2.0+313+b04d0a66 has several vulnerabilities per CESA-2021:4213, CESA-2022:1935.
Same with containers-common. Tenable wants 1.2.4-1.module_el8.6.0 rather than 1-23.module_el8.7.0+1106+45480ee0 even though both have the same
2022-03-16 date in the repo. (CESA-2022:1793, CESA-2022:2143).
I don’t find any CentOS-announce email mentioning the above CESA. Are the updates for the modules published separately? Where can I find them?
Thank you in advance for your answers,
Valère Binet
2 thoughts on - Modules Maintenance
Generally speaking, yes.
CentOS does not publish CVE metadata.
If you are a RHEL customer, we have a suite of approved security scanners that understand how to use the CVE metadata published as part of RHEL. I don’t know if Tenable is in that set, but often we find many scanners do not understand that most CVE fixes in CentOS Stream and RHEL are managed via backports instead of version bumps or they don’t know how to handle the metadata we publish.
josh
Am 09.08.22 um 17:03 schrieb Valere Binet:
JFI:
https://lists.CentOS.org/pipermail/CentOS-devel/2020-October/117840.html
If your security tool is looking for a NAME-VERSION-RELEASE of a RHEL
package that is part of a module, this will always fail on a CentOS system.