Bug 1315502
Summary: | CVE-2014-7810 missing from RH SCAP/OVAL Definitions on RHEL7 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Rob <robert.mattson> |
Component: | data | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | jlieskov, jrusnack, openscap-maint, slukasik, thoger |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-02-02 17:00:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rob
2016-03-07 23:05:16 UTC
Thank you for the report, Robert. Moving the bug to the proper product and component for correct triage && resolution. Regards, Jan. OVAL content is only available for released errata. Issues with no released erratum have no OVAL content published. This is not a bug in openscap package published in Red Hat Enterprise Linux. This is an issue (or better say RFE) for a derived stream published outside of Red Hat Enterprise Linux. Please drop an e-mail to secalert, to have this RFE tracked correctly. (In reply to Tomas Hoger from comment #4) > Issues with no released erratum have no OVAL content published. To clarify this, in situations when some issue affects multiple Red Hat Enterprise Linux versions, and there's update already released for e.g. Red Hat Enterprise Linux 7, but not yet for Red Hat Enterprise Linux 6, released OVAL content will only flag older Red Hat Enterprise Linux 7 packages as affected, but will not cover Red Hat Enterprise Linux 6. Omg, sorry. For whatever reason, I though this was bug against openscap component. I am sorry for the churn. I'll punish myself appropriately. (In reply to Tomas Hoger from comment #6) > (In reply to Tomas Hoger from comment #4) > > Issues with no released erratum have no OVAL content published. > > To clarify this, in situations when some issue affects multiple Red Hat > Enterprise Linux versions, and there's update already released for e.g. Red > Hat Enterprise Linux 7, but not yet for Red Hat Enterprise Linux 6, released > OVAL content will only flag older Red Hat Enterprise Linux 7 packages as > affected, but will not cover Red Hat Enterprise Linux 6. The issue at hand is not resolved in any RHEL version, see https://bugzilla.redhat.com/show_bug.cgi?id=1222573 Acknowledgement that RHEL 6 & 7 (and possibly 5) are affected here: https://access.redhat.com/security/cve/cve-2014-7810 The above link recognizes a fix available for JBoss. Speaking more directly to your comment, is it the case for example, that vulnerabilities present in the RedHat enterprise suite of products which are resolved in RHEL 7 are not highlighted by OVAL tests/SCAP tool in older yet still supported RHEL releases when they could still be present? Is that an official RedHat policy? (In reply to Rob from comment #8) > Speaking more directly to your comment, is it the case for example, that > vulnerabilities present in the RedHat enterprise suite of products which are > resolved in RHEL 7 are not highlighted by OVAL tests/SCAP tool in older yet > still supported RHEL releases when they could still be present? Right, that's what my Red Hat Enterprise Linux 7 / 6 example was meant to explain. If update is released for RHEL-7, it does not make (still affected) RHEL-6 get flagged as affected. The following quotes are from the OVAL FAQ: https://access.redhat.com/articles/221883 Red Hat creates and supports OVAL patch definitions, providing a machine- readable versions of our security advisories. Red Hat OVAL content cannot be used to detect vulnerabilities in a system for which no security update has been released by Red Hat. The latter can probably be made more explicit by changing the end to "... released by Red Hat for a given product version". |