1918475 – dnf --security pulling in packages without security advisory

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1918475 - dnf --security pulling in packages without security advisory

Summary: dnf --security pulling in packages without security advisory

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	dnf
Sub Component:
Version:	8.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Jaroslav Mracek
QA Contact:	Jan Blazek
Docs Contact:
URL:
Whiteboard:
Depends On:	1951409 1951411
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-20 20:13 UTC by Ryan Mullett
Modified:	2021-11-10 10:51 UTC (History)
CC List:	6 users (show)
Fixed In Version:	dnf-4.7.0-1.el8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 19:52:36 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4464	0	None	None	None	2021-11-09 19:53:12 UTC

Description Ryan Mullett 2021-01-20 20:13:02 UTC

Description of problem:
dnf --security pulls in updates to packages that do not have a security related errata. 

Version-Release number of selected component (if applicable):
dnf-4.2.23-4.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. # yum downgrade NetworkManager
(ensure NetworkManager is version NetworkManager-1.16.0-9.el8_3 or earlier)
2. # yum update --security

Actual results:
[root@localhost ~]# yum update --security
Updating Subscription Management repositories.
Last metadata expiration check: 1:03:06 ago on Tue 19 Jan 2021 05:51:11 PM EST.
Dependencies resolved.
=============================================================================================================================================================================================
 Package                                        Architecture                     Version                                       Repository                                               Size
=============================================================================================================================================================================================
Upgrading:
 NetworkManager                                 x86_64                           1:1.26.0-12.el8_3                             rhel-8-for-x86_64-baseos-rpms                           2.4 M
 NetworkManager-libnm                           x86_64                           1:1.26.0-12.el8_3                             rhel-8-for-x86_64-baseos-rpms                           1.8 M
 NetworkManager-team                            x86_64                           1:1.26.0-12.el8_3                             rhel-8-for-x86_64-baseos-rpms                           142 k
 NetworkManager-tui                             x86_64                           1:1.26.0-12.el8_3                             rhel-8-for-x86_64-baseos-rpms                           320 k

Transaction Summary
=============================================================================================================================================================================================
Upgrade  4 Packages

Total download size: 4.6 M


Expected results:
There is no associated security errata for this package. When checking with `# yum updateinfo --security` no security errata is shown as required on this saem system:

[root@localhost ~]# yum updateinfo --security
Updating Subscription Management repositories.
Last metadata expiration check: 1:03:22 ago on Tue 19 Jan 2021 05:51:11 PM EST.
[root@localhost ~]#

Additional info:
There is a bugzilla for this NetworkManager that was marked with the security flag, however the final release was an RHBA. This was confirmed with the Red Hat security team, and their belief was that the bug likely should have had the security flag removed. 

`# yum update-minimal --security` also does not pull in the package, so there is some discrepancy there as well

Here is the RHBA:

https://access.redhat.com/errata/RHBA-2020:5274

Specifically, the one fix that had a bz that was initially marked security, but did not get included as RHSA, only as RHBA is the following:

2020-10-28 Antonio Cardace <acardace> - 1:1.26.0-10

    - nm-manager: fix crash that can be caused by an anauthorized user (rh #1890887)

https://bugzilla.redhat.com/show_bug.cgi?id=1890887

The last thing I did check was to make sure that the actual repo metadata matched what I expected, and that it didn't have any advisory that I had missed for the NetworkManager package in question. From my searches it did not seem to have anything that should have caused this package to be installed when using --security.

Comment 1 Tomas Hoger 2021-01-25 15:54:34 UTC

The correct errata link should be:

https://access.redhat.com/errata/RHBA-2020:5474

I.e. 5*4*74, not 5*2*74.

Comment 3 Jaroslav Mracek 2021-02-08 10:45:39 UTC

The problem is fixed by https://github.com/rpm-software-management/libdnf/pull/1136, https://github.com/rpm-software-management/dnf/pull/1715.
Tests: https://github.com/rpm-software-management/ci-dnf-stack/pull/951

Comment 4 Tomas Hoger 2021-02-08 11:29:13 UTC

Can you briefly explain what was the problem here?  There's not much info in the linked PRs, the most relevant seems to be:

I have 3 versions. The first is installed, second has security fix, but it is not available in repository.

I do not really understand what exactly is this state or how we got to it.  Should the above be read as there was info in updateinfo.xml for an RHSA for the NetworkManager, but files referenced were not actually in the repo?  Do you have errata id?

Comment 5 jcastran 2021-02-08 12:10:32 UTC

The problem here is/was that with no security errata applicable to NetworkManager, dnf update --security was updating NetworkManager regardless. This created a concern for the customer that the system was vulnerable in some way.

dnf update                    > update all packages
dnf update --security         > Update all packages with an available security errata to the latest versions available
dnf update-minimal --security > Update all packages with an available security errata to the version specified in the errata and no further

~~~~~~~~~~~~~~~~
The customer used dnf-automatic with security flagged which is the same as running:

   # yum update-minimal --security

At this point their system should be fully updated and have no security errata to apply. We can verify that there was no errata applicable either with updateinfo

   # yum updateinfo --security
     <No results>

Next they ran:

   # yum update --security

And we're seeing updates for NetworkManager even though there are no security errata. This raised the concern that update-minimal and/or updateinfo are not showing the customer they were vulnerable. Since update-minimal is also how dnf-automatic works, they were concerned their automatic updates are not applying all relevant security errata.

Comment 6 Tomas Hoger 2021-02-08 12:49:04 UTC

Ok, so the problem was that update (not update-minimal) was flagging non-security update as applicable based on the fact that there was an older security update that was already installed on the system (possibly via update-minimal)?

Comment 7 jcastran 2021-02-08 12:57:29 UTC

Yes

Comment 16 errata-xmlrpc 2021-11-09 19:52:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: dnf security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4464

Note You need to log in before you can comment on or make changes to this bug.