Bug 1918475

Summary: dnf --security pulling in packages without security advisory
Product: Red Hat Enterprise Linux 8 Reporter: Ryan Mullett <rmullett>
Component: dnfAssignee: Jaroslav Mracek <jmracek>
Status: CLOSED ERRATA QA Contact: Jan Blazek <jblazek>
Severity: medium Docs Contact:
Priority: high    
Version: 8.3CC: dstreit, james.antill, jcastran, mbanas, pkratoch, thoger
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dnf-4.7.0-1.el8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:52:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1951409, 1951411    
Bug Blocks:    

Description Ryan Mullett 2021-01-20 20:13:02 UTC 
Description of problem:
dnf --security pulls in updates to packages that do not have a security related errata. 

Version-Release number of selected component (if applicable):
dnf-4.2.23-4.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. # yum downgrade NetworkManager
(ensure NetworkManager is version NetworkManager-1.16.0-9.el8_3 or earlier)
2. # yum update --security

Actual results:
[root@localhost ~]# yum update --security
Updating Subscription Management repositories.
Last metadata expiration check: 1:03:06 ago on Tue 19 Jan 2021 05:51:11 PM EST.
Dependencies resolved.
=============================================================================================================================================================================================
 Package                                        Architecture                     Version                                       Repository                                               Size
=============================================================================================================================================================================================
Upgrading:
 NetworkManager                                 x86_64                           1:1.26.0-12.el8_3                             rhel-8-for-x86_64-baseos-rpms                           2.4 M
 NetworkManager-libnm                           x86_64                           1:1.26.0-12.el8_3                             rhel-8-for-x86_64-baseos-rpms                           1.8 M
 NetworkManager-team                            x86_64                           1:1.26.0-12.el8_3                             rhel-8-for-x86_64-baseos-rpms                           142 k
 NetworkManager-tui                             x86_64                           1:1.26.0-12.el8_3                             rhel-8-for-x86_64-baseos-rpms                           320 k

Transaction Summary
=============================================================================================================================================================================================
Upgrade  4 Packages

Total download size: 4.6 M


Expected results:
There is no associated security errata for this package. When checking with `# yum updateinfo --security` no security errata is shown as required on this saem system:

[root@localhost ~]# yum updateinfo --security
Updating Subscription Management repositories.
Last metadata expiration check: 1:03:22 ago on Tue 19 Jan 2021 05:51:11 PM EST.
[root@localhost ~]#

Additional info:
There is a bugzilla for this NetworkManager that was marked with the security flag, however the final release was an RHBA. This was confirmed with the Red Hat security team, and their belief was that the bug likely should have had the security flag removed. 

`# yum update-minimal --security` also does not pull in the package, so there is some discrepancy there as well

Here is the RHBA:

https://access.redhat.com/errata/RHBA-2020:5274

Specifically, the one fix that had a bz that was initially marked security, but did not get included as RHSA, only as RHBA is the following:

2020-10-28 Antonio Cardace <acardace> - 1:1.26.0-10

    - nm-manager: fix crash that can be caused by an anauthorized user (rh #1890887)

https://bugzilla.redhat.com/show_bug.cgi?id=1890887

The last thing I did check was to make sure that the actual repo metadata matched what I expected, and that it didn't have any advisory that I had missed for the NetworkManager package in question. From my searches it did not seem to have anything that should have caused this package to be installed when using --security.
Comment 1 Tomas Hoger 2021-01-25 15:54:34 UTC 
The correct errata link should be:

https://access.redhat.com/errata/RHBA-2020:5474

I.e. 5*4*74, not 5*2*74.
Comment 3 Jaroslav Mracek 2021-02-08 10:45:39 UTC 
The problem is fixed by https://github.com/rpm-software-management/libdnf/pull/1136, https://github.com/rpm-software-management/dnf/pull/1715.
Tests: https://github.com/rpm-software-management/ci-dnf-stack/pull/951
Comment 4 Tomas Hoger 2021-02-08 11:29:13 UTC 
Can you briefly explain what was the problem here?  There's not much info in the linked PRs, the most relevant seems to be:

I have 3 versions. The first is installed, second has security fix, but it is not available in repository.

I do not really understand what exactly is this state or how we got to it.  Should the above be read as there was info in updateinfo.xml for an RHSA for the NetworkManager, but files referenced were not actually in the repo?  Do you have errata id?
Comment 5 jcastran 2021-02-08 12:10:32 UTC 
The problem here is/was that with no security errata applicable to NetworkManager, dnf update --security was updating NetworkManager regardless. This created a concern for the customer that the system was vulnerable in some way.

dnf update                    > update all packages
dnf update --security         > Update all packages with an available security errata to the latest versions available
dnf update-minimal --security > Update all packages with an available security errata to the version specified in the errata and no further

~~~~~~~~~~~~~~~~
The customer used dnf-automatic with security flagged which is the same as running:

   # yum update-minimal --security

At this point their system should be fully updated and have no security errata to apply. We can verify that there was no errata applicable either with updateinfo

   # yum updateinfo --security
     <No results>

Next they ran:

   # yum update --security

And we're seeing updates for NetworkManager even though there are no security errata. This raised the concern that update-minimal and/or updateinfo are not showing the customer they were vulnerable. Since update-minimal is also how dnf-automatic works, they were concerned their automatic updates are not applying all relevant security errata.
Comment 6 Tomas Hoger 2021-02-08 12:49:04 UTC 
Ok, so the problem was that update (not update-minimal) was flagging non-security update as applicable based on the fact that there was an older security update that was already installed on the system (possibly via update-minimal)?
Comment 7 jcastran 2021-02-08 12:57:29 UTC 
Yes
Comment 16 errata-xmlrpc 2021-11-09 19:52:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: dnf security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4464