Bug 1918475
Summary: | dnf --security pulling in packages without security advisory | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Ryan Mullett <rmullett> |
Component: | dnf | Assignee: | Jaroslav Mracek <jmracek> |
Status: | CLOSED ERRATA | QA Contact: | Jan Blazek <jblazek> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 8.3 | CC: | dstreit, james.antill, jcastran, mbanas, pkratoch, thoger |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | dnf-4.7.0-1.el8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-09 19:52:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1951409, 1951411 | ||
Bug Blocks: |
Description
Ryan Mullett
2021-01-20 20:13:02 UTC
The correct errata link should be: https://access.redhat.com/errata/RHBA-2020:5474 I.e. 5*4*74, not 5*2*74. The problem is fixed by https://github.com/rpm-software-management/libdnf/pull/1136, https://github.com/rpm-software-management/dnf/pull/1715. Tests: https://github.com/rpm-software-management/ci-dnf-stack/pull/951 Can you briefly explain what was the problem here? There's not much info in the linked PRs, the most relevant seems to be: I have 3 versions. The first is installed, second has security fix, but it is not available in repository. I do not really understand what exactly is this state or how we got to it. Should the above be read as there was info in updateinfo.xml for an RHSA for the NetworkManager, but files referenced were not actually in the repo? Do you have errata id? The problem here is/was that with no security errata applicable to NetworkManager, dnf update --security was updating NetworkManager regardless. This created a concern for the customer that the system was vulnerable in some way. dnf update > update all packages dnf update --security > Update all packages with an available security errata to the latest versions available dnf update-minimal --security > Update all packages with an available security errata to the version specified in the errata and no further ~~~~~~~~~~~~~~~~ The customer used dnf-automatic with security flagged which is the same as running: # yum update-minimal --security At this point their system should be fully updated and have no security errata to apply. We can verify that there was no errata applicable either with updateinfo # yum updateinfo --security <No results> Next they ran: # yum update --security And we're seeing updates for NetworkManager even though there are no security errata. This raised the concern that update-minimal and/or updateinfo are not showing the customer they were vulnerable. Since update-minimal is also how dnf-automatic works, they were concerned their automatic updates are not applying all relevant security errata. Ok, so the problem was that update (not update-minimal) was flagging non-security update as applicable based on the fact that there was an older security update that was already installed on the system (possibly via update-minimal)? Yes Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: dnf security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4464 |