Packages in @anaconda repository have security vulnerabilities which will be reported by our security monitoring system. Is it safe to remove all packages from @anaconda repository now that they are installer related and the os installation has already been done?
Its completely different. First, these are valid packages from baseos, appstream or other also valid repos. So, do not remove them. You would kill your installation. I see that the “tag” anaconda is confusing but its just means installed while installation. If you wanna get rid of it you could resintall those packages. I would take care package by package. For example:
dnf reinstall acl
# LANG=C dnf list acl Last metadata expiration check: 1:55:22 ago on Tue Jul 4 13:40:23 2023. Installed Packages acl.x86_64 2.3.1-3.el9 @baseos
You should probably run a “dnf update” and all the packages from the “@anaconda” repo should be updated to more up-to-date ones and then be replaced by either @baseos or@appstream.
Nope, if no update is available then packages remains with this meta information (@anaconda as repo source) …
Can you give a couple of examples of which packages and which Rocky version because I have zero packages from @anaconda installed on my system.
Well, the system must of course have been installed via Anaconda. Right? Then you get these entries:
# dnf list all |grep @anaconda|sort |head -1 alternatives.x86_64 1.20-2.el9 @anaconda # dnf list all |grep @anaconda|wc -l 254 # dnf list all |grep @anaconda|sort |tail -1 zstd.x86_64 1.5.1-2.el9 @anaconda
I’m using Rocky version 8.7.
dnf reinstall will reinstall the package using baseos repo. But it won’t be upgraded. Specifically, I want to get rid of python3-pyyaml because of CVE-2020-14343 | Vulnerability Database | Aqua Security
[root@sc2-rdops-vm05-dhcp-178-186 vts]# dnf list |grep yaml Failed to set locale, defaulting to C.UTF-8 libyaml.x86_64 0.1.7-5.el8 @anaconda python3-pyyaml.x86_64 3.12-12.el8 @baseos libyaml.i686 0.1.7-5.el8 baseos python2-pyyaml.x86_64 3.12-16.module+el8.5.0+706+735ec4b3 appstream python3.11-pyyaml.x86_64 6.0-1.el8 appstream python38-pyyaml.x86_64 5.4.1-1.module+el8.5.0+672+ab6eb015 appstream python39-pyyaml.x86_64 5.4.1-1.module+el8.5.0+673+10283621 appstream
[root@sc2-rdops-vm05-dhcp-178-186 vts]# dnf upgrade python3-pyyaml Failed to set locale, defaulting to C.UTF-8 Last metadata expiration check: 1:31:11 ago on Tue Jul 4 20:21:20 2023. Dependencies resolved. Nothing to do. Complete!
The version for python(36) - python3-pyyaml ist not affected. BTW, your scanner can not compare the version strings directly because EL rebuilds do have there own git-tags for rpm modules versioning (e.g. 5.4.1-1.module+el8.5.0+672+ab6eb015). And if you consider security as important, you should do
yum clean all; yum update
to update to the latest state of RL → 8.8.
Thank you for reply. We’ve decided to try latest version of rocky linux. It has much fewer vulnerabilities detected by our scanner.
What version were you running?