View Issue Details

IDProjectCategoryView StatusLast Update
0002608Rocky-Linux-8Generalpublic2023-03-14 18:19
ReporterChristian Hailer Assigned ToMustafa Gezen  
PrioritynormalSeveritymajorReproducibilityalways
Status confirmedResolutionopen 
Summary0002608: Security erratum not included in updateinfo.xml
DescriptionHello,

the security erratum RLSA-2023:0835 is NOT included in the updateinfo.xml of the BaseOS repository, so tools like Katello for example won't import the erratum and therefore won't apply it automatically to registered systems.
A few weeks ago I stumbled upon another erratum which wasn't included but I can't remember which one it was.

Security scanners like Tenable complain about the unpatched packages, referencing the RLSA, and one has to update it manually.

Regards, Christian
Steps To Reproduce[root@web ~]# rpm -q python3-setuptools
python3-setuptools-39.2.0-6.el8.noarch

[root@web ~]# dnf update --security python3-setuptools
Last metadata expiration check: 2:37:21 ago on Tue 14 Mar 2023 11:27:27 AM CET.
No security updates needed for "python3-setuptools", but 1 update available
Dependencies resolved.
Nothing to do.
Complete!
Additional InformationErratum URL: https://errata.rockylinux.org/RLSA-2023:0835

updateinfo as of March 14th 2023: https://download.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os/repodata/6c54586935d021b3f5ab63045a9334023fc70886832a143350ab2801601a1e7d-updateinfo.xml.gz

<data type="updateinfo">
<checksum type="sha256">6c54586935d021b3f5ab63045a9334023fc70886832a143350ab2801601a1e7d</checksum>
<open-checksum type="sha256">a5daa908ad58412844d927d9c870c59c1202b8e18e2a7e770d192bc1606a0bce</open-checksum>
<location href="repodata/6c54586935d021b3f5ab63045a9334023fc70886832a143350ab2801601a1e7d-updateinfo.xml.gz"/>
<timestamp>1678233820</timestamp>
<size>134364</size>
<open-size>1177117</open-size>
</data>

XML file attached below
TagsNo tags attached.
Attached Files

Activities

Mustafa Gezen

Mustafa Gezen

2023-03-14 16:38

manager   ~0002773

Hi Christian,

Thank you for reporting this issue.

We have deployed a fix to the errata system and the fixed version of updateinfo will be published shortly.

https://github.com/resf/distro-tools/commit/6915813e2ddf3e1e8a4ebb0ef6d53fa89311ce92

Mustafa
Christian Hailer

Christian Hailer

2023-03-14 17:39

reporter   ~0002774

Great, thanks a lot! I assume that all of the old missing errata will be included in the new version of updateinfo.xml as well and not only the new ones from now on, right?

Best regards, Christian
Mustafa Gezen

Mustafa Gezen

2023-03-14 18:19

manager   ~0002775

Yes that is correct. Updateinfo has been regenerated to include older advisories that were missed.

Issue History

Date Modified Username Field Change
2023-03-14 13:10 Christian Hailer New Issue
2023-03-14 13:10 Christian Hailer File Added: 6c54586935d021b3f5ab63045a9334023fc70886832a143350ab2801601a1e7d-updateinfo.xml.gz
2023-03-14 16:38 Mustafa Gezen Note Added: 0002773
2023-03-14 16:38 Mustafa Gezen Assigned To => Mustafa Gezen
2023-03-14 16:38 Mustafa Gezen Status new => assigned
2023-03-14 16:38 Mustafa Gezen Status assigned => confirmed
2023-03-14 17:39 Christian Hailer Note Added: 0002774
2023-03-14 18:19 Mustafa Gezen Note Added: 0002775