Bug 1784472

Summary: yum updateinfo list cves doesn't show some CVEs
Product: Red Hat Enterprise Linux 7 Reporter: Christophe Besson <cbesson>
Component: relengAssignee: Release Engineering Bug Triage <releng-maint-list>
releng sub component: RHELBLD QA Contact:
Status: MODIFIED --- Docs Contact:
Severity: high    
Priority: high CC: dtodorov, james.antill, lisas, lmiksik, packaging-team-maint, pdubovsk, thoger, tmlcoch, tonay
Version: 7.6Keywords: Regression
Target Milestone: rcFlags: tonay: needinfo? (tmlcoch)
tonay: needinfo? (pdubovsk)
Target Release: 7.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christophe Besson 2019-12-17 14:31:18 UTC 
Description of problem:
`yum updateinfo list cves` doesn't provide information about this specific kernel (the first released with RHEL 7.6):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 CVE-2015-8830    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2016-4913    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-0861    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-10661   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-17805   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-18208   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-18232   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-18344   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-18360   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1092    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1094    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1118    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1120    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1130    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-5344    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-5391    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-5803    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-5848    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-7740    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-7757    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-8781    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10322   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10878   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10879   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10881   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10883   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10902   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10940   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-13405   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-18690   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1000026 Important/Sec. kernel-3.10.0-957.el7.x86_64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The issue seems to be indirectly related to yum, this information is missing from updateinfo.xml after updating the kernel > kernel-3.10.0-957.el7

Version-Release number of selected component (if applicable):
yum-3.4.3-161.el7.noarch

Steps to Reproduce:
1. Install a base RHEL 7.6
2. Run the following command and notice the output.
# yum updateinfo list cves | grep -i CVE-2017-0861
3. Update the kernel to any 7.6 EUS version (> kernel-3.10.0-957.el7) and notice that the CVE isn't echoed anymore.

Actual results:
# yum updateinfo list cves | grep -i CVE-2017-0861
<empty>

Expected results:
# yum updateinfo list cves | grep -i CVE-2017-0861
 CVE-2017-0861    Important/Sec. kernel-3.10.0-957.el7.x86_64

Additional information:
The CVE-2017-0861 can be seen on a RHEL 7.7 kernel.
Comment 9 Jon Disnard 2019-12-23 18:18:05 UTC 
I'm not sure a blocker for rhel-7.8 makes sense if this is specific to 7.6 EUS?
Assigning to pdubovsk@ for further consideration.
Comment 32 Lisa S 2023-08-16 16:16:35 UTC 
This BZ is over 3 years old, and we are on 7.9.z.  I recommend we close this as Won't Fix.