Re: It's been six days since CVD-2021-33909 was patched in RHEL, what's the holdup for Stream 8?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

It's being worked on.  RHEL maintainers can fix things independently
in different minor version branches.  The fix was applied to the
internal 8.4 branch while it was under embargo.  It has since been
released in RHEL 8.4, which allowed it to be rebuilt in CentOS Linux
8.  CentOS Stream 8 is currently tracking the internal 8.5 branch,
which just had the fix merged yesterday, along with many other
changes, as kernel-4.18.0-326.el8.  That build is going through QA
now.  Once completed, it will be exported to git.centos.org and
rebuilt in CentOS Stream 8.  This is the "inside out" process we've
referred to, and we know it's not ideal.  CentOS Stream 9 improves on
this significantly with RHEL maintainers doing their builds directly
in the CentOS project, in the public.

I'll also note this isn't something new.  We've been clear that RHEL
gets some security fixes first.  Typically it's only 1-2 days after
RHEL 8 that we'll have the corresponding fix out for CentOS Linux 8
and CentOS Stream 8.  No one is happy about how much longer this
particular update is taking.  The Stream model brings massive changes
to the RHEL workflows, so no one should be surprised that there are
growing pains.

On Mon, Jul 26, 2021 at 4:02 PM Steven Rosenberg via CentOS
<centos@xxxxxxxxxx> wrote:
>
> This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux distro patched it that day or the day after. That includes Rocky and Alma.
>
> https://access.redhat.com/security/cve/CVE-2021-33909
>
> It's still not patched six days later in CentOS Stream 8.
>
> This Bugzilla entry makes it clear that when it comes to security, CentOS Stream falls behind RHEL. But this far behind?
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1975182
>
> This doesn't make a good argument for Stream being a viable CentOS Linux replacement.
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Carl George

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux