Hi,
I wanted to fix some security issues on rocky 8.9 system eg. CVE-2021-20270 which is detected on 8.9 version. python36:0:3.6.8-38.module+el8.5.0+671+195e4563
I tried to update this package from appstream, but there is no new packages available.
It seems that this package is not exactly the same what is for rhel8 repo where is python36-3.6.8-38.module+el8.9.0+20976+d3c38525.x86_64.
Alma8 also have this package updated.
Can you help here? is there any plan sync this with rhel8 repo?
Thanks
The packages are the same. It’s clear to me that RHEL (and Alma) simply rebuilt the package without actually addressing anything else beyond that. It’s easy to tell by ignoring the module portion of the version.
python36-3.6.8-38.module+el8.5.0+671+195e4563.x86_64
python36-3.6.8-38.module+el8.9.0+20976+d3c38525.x86_64
We can rebuild it to make it “match”, but I cannot guarantee it will be it will be in a timely manner due to 9.4 and 8.10 development.
Since this was fixed like a few years ago as per the link by @ganphx then it would suggest whatever scanner you ran against your system is reporting false positives. Most likely by just checking a package version number, rather than scanning the system properly.
I’ll note too that the python36 module received a rebuild during our development for 8.10.
Scanners may still end up saying that it doesn’t match because of the 1592.
Indeed. Red Hat backports fixes to their RHEL forks of software What is backporting and how does it affect Red Hat Enterprise Linux (RHEL)? - Red Hat Customer Portal so “Python 3.6” in RHEL is not the upstream “Python 3.6”.
Thank you all for any comments.
Yes, if you do not mind, please rebuilt it for 8.10, we will see if it helps, thx.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.