On Tue, Aug 9, 2022 at 11:03 AM Valere Binet <valere.binet@xxxxxxxxx> wrote:
>
> Hi,
>
> Are the default modules receiving security update?
Generally speaking, yes.
> Security tools (Tenable) want me to update PHP to 7.4 claiming
> 7.2.24-1.module_el8.2.0+313+b04d0a66 has several vulnerabilities per
> CESA-2021:4213, CESA-2022:1935.
>
> Same with containers-common. Tenable wants 1.2.4-1.module_el8.6.0 rather
> than 1-23.module_el8.7.0+1106+45480ee0 even though both have the same
> 2022-03-16 date in the repo. (CESA-2022:1793, CESA-2022:2143).
>
> I don't find any centos-announce email mentioning the above CESA. Are the
> updates for the modules published separately? Where can I find them?
CentOS does not publish CVE metadata.
If you are a RHEL customer, we have a suite of approved security
scanners that understand how to use the CVE metadata published as part
of RHEL. I don't know if Tenable is in that set, but often we find
many scanners do not understand that most CVE fixes in CentOS Stream
and RHEL are managed via backports instead of version bumps or they
don't know how to handle the metadata we publish.
josh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
