Bug 1975182
| Summary: | CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesystem layer [rhel-8.5.0] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Rohit Keshri <rkeshri> |
| Component: | kernel | Assignee: | Ian Kent <ikent> |
| kernel sub component: | File Systems | QA Contact: | Murphy Zhou <xzhou> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | urgent | CC: | acaringi, bhu, brdeoliv, bstinson, carl, dhoward, dhowells, dvlasenk, esandeen, fhrbata, germano.massullo, hkrzesin, jarod, jforbes, joe.lawrence, jshortt, jstancek, jwboyer, kcarcia, lgoncalv, mharri, mszeredi, ngompa13, nmurray, ptalbert, rvrbovsk, swhiteho, vwfoxguru, walters, xzhou |
| Version: | 8.5 | Keywords: | Security, SecurityTracking, Triaged, ZStream |
| Target Milestone: | beta | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | kernel-4.18.0-326.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 19:22:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1970273, 1975187 | ||
|
Description
Rohit Keshri
2021-06-23 08:50:21 UTC
Any guidance for the delay in this kernel updating hitting CentOS Stream vs RHEL 8? Stream lagging several days behind for the kernel update seems like an anti-pattern for the Stream release cycle, especially for an update with security impact. (In reply to Scott Williams from comment #6) > Any guidance for the delay in this kernel updating hitting CentOS Stream vs > RHEL 8? Stream lagging several days behind for the kernel update seems like > an anti-pattern for the Stream release cycle, especially for an update with > security impact. The team is currently working on an update. As mentioned in several places, RHEL will get Critical and Important CVE updates before CentOS Stream which means the work is prioritized for those releases first. This seems like a highly significant policy to communicate to end users. Communication thus far has pitched CentOS Stream as upstream and getting such patches first. Alma and Rocky getting patches for things like this ahead of Stream really goes against the pitch made to Stream end users. Here's how we cover this in the Stream FAQ: https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream The fix for this has been merged in the 8.5 branch and is currently working its way through RHEL gating tests. Once it passes and is attached to errata, it will be exported to the c8s branch on git.centos.org and built for CentOS Stream 8. This is the "inside out" process we've referred to previously. We know it's not ideal, and CentOS Stream 9 improves on this significantly with RHEL maintainers doing their builds directly in the CentOS project, in the public. kernel-4.18.0-326.el8 has been exported to git.centos.org [0] and built for CentOS Stream 8 [1]. It's going out to the mirrors now. [0] https://git.centos.org/rpms/kernel/c/01ab02ad18f1ef78498a42cc4da392f6632346f6?branch=c8s [1] https://koji.mbox.centos.org/koji/buildinfo?buildID=18572 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4356 |