Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CentOS packages not properly recognised due to dist tag in package release #138

Closed
waananen opened this issue Jan 12, 2018 · 4 comments
Closed

CentOS packages not properly recognised due to dist tag in package release #138

waananen opened this issue Jan 12, 2018 · 4 comments

Comments

@waananen
Copy link

Hi

A few recent packages from RHEL including httpd, ntp, firefox are not properly recognised due to the format of the release field and different content of dist tag. The current build dist tags are:

RHEL7: dist .el7_4
CENTOS7: dist .el7.centos

while the httpd specfile has a release tag is:

Release: 67%{?dist}.6

This means that the logic of the vercmp in lib/managers/VulnerabilitiesManager.php fails see the CentOS packages as fixes for the CVEs. It is not really feasible to create CVE exceptions manually. I have looked into hacking lib/managers/VulnerabilitiesManager.php without much luck.

Any idea on how to solve this (without asking Red Hat to change the format of the release field)?

Best

Anders
@kouril
Copy link
Member

kouril commented Jan 12, 2018

Hi Anders,

I'm not sure I quite understand the problem, could you please post the whole version strings of the packages?

Daniel

@waananen
Copy link
Author

waananen commented Jan 12, 2018
edited
Loading

Hi Daniel

On CentOS7:
rpm -q --qf '%{version} %{release}\n' httpd
2.4.6 67.el7.centos.6

On RHEL7:
rpm -q --qf '%{version} %{release}\n' httpd
2.4.6 67.el7_4.6

Anders

@kouril
Copy link
Member

kouril commented Jan 16, 2018

Hi Anders,

I spent some time looking at the issue but am afraid there's no ideal solution as long as CentOS starts issuing information of vulnerabilities. We haven't been hit by the problem so far since none of the vulnerabilities we've chased so far were in customized CentOS packages. At the moment I see two possible solutions. You can either utilize the mechanism of local OVALs, which basically allows you to record your own information about vulnerabilities, based on the CentOS versions (should be more suitable then exceptions). The other option is to use the CentOS VDS module I drafted, which populates the DB with records that should match the CentOS versions (derived from RH OVAL, based on a simple syntax pattern). I haven't tested it on a real deployment, though. If you want to give it a try, please check the current master (commit 276b50d) and enable the module in your server.

Daniel

@kouril kouril closed this as completed Jan 16, 2018
@kouril kouril reopened this Jan 16, 2018
@kouril
Copy link
Member

kouril commented Jan 17, 2018

For the sake of completeness, the same issue may affect Scientific Linux (or other derivates), which would require additional increasing of imitated vulnerabilities.

Another way to address the situation on the Pakiti side would be to adapt the version comparing method to detect the dist part of release (el7_* etc.) and handle it appropriately. However, that would add a hack into the standard comparing algorithm and (more importantly) impact the part of code that is heavily used (with likely performance penalty).

Ideally of course, the distributions should publish their own OVALs, etc.

@kouril kouril mentioned this issue Sep 21, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kouril @waananen @HavrilaJ