rhel-8 tracking bug for kernel: see the bugs linked in the "Blocks" field of this bug for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the blocked bugs.
NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE.
WARNING: NOTICE THAT REMOVING THE "SECURITY" GROUP FROM THIS TRACKER MAY BREAK THE EMBARGO.
Information with regards to this bug is considered Red Hat Confidential until the embargo has lifted. Please post the patch only to the 'rhkernel-team-list' mailing list for review and acks.
For the Enterprise Linux security issues handling process overview see:
Reproducers, if any, will remain confidential and never be made public, unless done so by the security team.
NOTICE: THIS BUG HAS THE DEFAULT OWNER (fs-maint) OVERRIDDEN BECAUSE IT WAS A MAILING LIST OR NON @redhat.com E-MAIL! PLEASE CONTACT secalert IF THIS CONFUSES YOU.
NOTICE: THIS BUG HAS THE DEFAULT QA CONTACT (fs-qe) OVERRIDDEN BECAUSE IT WAS A MAILING LIST OR NON @redhat.com E-MAIL! PLEASE CONTACT secalert IF THIS CONFUSES YOU.
Any guidance for the delay in this kernel updating hitting CentOS Stream vs RHEL 8? Stream lagging several days behind for the kernel update seems like an anti-pattern for the Stream release cycle, especially for an update with security impact.
(In reply to Scott Williams from comment #6)
> Any guidance for the delay in this kernel updating hitting CentOS Stream vs
> RHEL 8? Stream lagging several days behind for the kernel update seems like
> an anti-pattern for the Stream release cycle, especially for an update with
> security impact.
The team is currently working on an update. As mentioned in several places, RHEL will get Critical and Important CVE updates before CentOS Stream which means the work is prioritized for those releases first.
This seems like a highly significant policy to communicate to end users. Communication thus far has pitched CentOS Stream as upstream and getting such patches first. Alma and Rocky getting patches for things like this ahead of Stream really goes against the pitch made to Stream end users.
Here's how we cover this in the Stream FAQ: https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream
The fix for this has been merged in the 8.5 branch and is currently working its way through RHEL gating tests. Once it passes and is attached to errata, it will be exported to the c8s branch on git.centos.org and built for CentOS Stream 8. This is the "inside out" process we've referred to previously. We know it's not ideal, and CentOS Stream 9 improves on this significantly with RHEL maintainers doing their builds directly in the CentOS project, in the public.
kernel-4.18.0-326.el8 has been exported to git.centos.org  and built for CentOS Stream 8 . It's going out to the mirrors now.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.