Bug 1784472 - yum updateinfo list cves doesn't show some CVEs [NEEDINFO]
Summary: yum updateinfo list cves doesn't show some CVEs
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: releng
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 7.6
Assignee: Release Engineering Bug Triage
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-17 14:31 UTC by Christophe Besson
Modified: 2023-08-16 16:16 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
tonay: needinfo? (tmlcoch)
tonay: needinfo? (pdubovsk)

Attachments (Terms of Use)

Description Christophe Besson 2019-12-17 14:31:18 UTC 
Description of problem:
`yum updateinfo list cves` doesn't provide information about this specific kernel (the first released with RHEL 7.6):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 CVE-2015-8830    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2016-4913    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-0861    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-10661   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-17805   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-18208   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-18232   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-18344   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2017-18360   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1092    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1094    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1118    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1120    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1130    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-5344    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-5391    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-5803    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-5848    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-7740    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-7757    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-8781    Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10322   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10878   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10879   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10881   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10883   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10902   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-10940   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-13405   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-18690   Important/Sec. kernel-3.10.0-957.el7.x86_64
 CVE-2018-1000026 Important/Sec. kernel-3.10.0-957.el7.x86_64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The issue seems to be indirectly related to yum, this information is missing from updateinfo.xml after updating the kernel > kernel-3.10.0-957.el7

Version-Release number of selected component (if applicable):
yum-3.4.3-161.el7.noarch

Steps to Reproduce:
1. Install a base RHEL 7.6
2. Run the following command and notice the output.
# yum updateinfo list cves | grep -i CVE-2017-0861
3. Update the kernel to any 7.6 EUS version (> kernel-3.10.0-957.el7) and notice that the CVE isn't echoed anymore.

Actual results:
# yum updateinfo list cves | grep -i CVE-2017-0861
<empty>

Expected results:
# yum updateinfo list cves | grep -i CVE-2017-0861
 CVE-2017-0861    Important/Sec. kernel-3.10.0-957.el7.x86_64

Additional information:
The CVE-2017-0861 can be seen on a RHEL 7.7 kernel.
Comment 9 Jon Disnard 2019-12-23 18:18:05 UTC 
I'm not sure a blocker for rhel-7.8 makes sense if this is specific to 7.6 EUS?
Assigning to pdubovsk@ for further consideration.
Comment 32 Lisa S 2023-08-16 16:16:35 UTC 
This BZ is over 3 years old, and we are on 7.9.z.  I recommend we close this as Won't Fix.
Note You need to log in before you can comment on or make changes to this bug.