Description of problem:
The current CentOS 7 version 7.9.2009(Kernel version: 3.10.0-1160.45.1.el7.x86_64) does not seems to have the latest fix in version 1.4.18 for the XStream library. The XStream version available on CentOS 7 is xstream-1.3.1.
This has been reported by Built-in Qualys vulnerability assessment on the Virtual Machine with CentOS 7 version with a CVSS base score( v2.0: 9.3, v3.0: 9.9)
As per the Remediation step, it points to https://x-stream.github.io/security.html which needs latest version i.e. 1.4.18 for the XStream library. Currently it seems that version 1.4.18 is available only for CentOS 8 at https://centos.pkgs.org/8/epel-x86_64/xstream-1.4.18-3.el8.noarch.rpm.html
Can I please request that security fix in 1.4.18 for XStream is available for CentOS 7 as well?
I was advised to create a bug here for RedHat 7 based on the bug in CentOS 7 https://bugs.centos.org/view.php?id=18351
The vulnerability is been reported for the following CVEs:
Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.
If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.
For information on how to contact the Red Hat production support team, please visit:
For information on how to contact the Red Hat Product Security team, please visit:
RHEL 7 is already in Maintenance Support 2 phase, which means that only Critical impact Security Advisories and selected Urgent Priority Bug Fix Advisories may be addressed. Please see https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase for further information.
Since this bug does not meet the criteria, we'll close it as WONTFIX. If this is a critical issue for you, feel free to reach to Product Security or Production Support, as explained in comment #3 above.