Rocky Errata Database

Mateusz · November 21, 2023, 12:33pm

Hi,

I would like to refer to my started discussion in below link on github.

I would like to focus on vulnerability CVE-2019-9948.

Trivy scanner during scan process retrieves data from Rocky Errata Database, relies on this database. Since keyword CVE-2019-9948 refers to Rocky Enterprise Software Foundation Product Errata, Trivy does not treat my eon-of-life python 3.6 platform as vulnerable with examples vulnerabilities included in github’s discussion. However, according to nvd nist go details about CVE-2019-9948, python 3.6.8 platform libraries are also vulnerable to be used for a bad purpose.

The above Rocky Errata involves only python 2 version but it doesn’t mean that python 3.6.8 is safe without any security patches that neither me nor Trivy scanner couldn’t find in Rocky Erratas Database, right? Could you explain why the Errata patches was released only for python 2 version with connected libraries to it and skip python 3 platform?

I know that I need to update python platform due to EOL status but I have been analysing Trivy behavior for a while and I am willing to get to know some details about Erratas.

The same case about RLSA-2023:6746 for Rocky Linux 9, will be a security patch released for Rocky Linux 8 or library nghttp2 is safe without any security patches for Rocky Linux 8?

Greetings
Mateusz

jlehtone · November 21, 2023, 2:01pm

CVE-2019-9948 is described by Red Hat: cve-details

Platform	Package	State	Errata	Date
Red Hat Enterprise Linux 8	python3	Fixed	RHSA-2019:3520	November 5, 2019

The RHSA-2019:3520 did release python3 3.6.8-15.1.el8 for RHEL 8.
That did include package platform-python.

Do you ask whether Rocky has released matching package for Rocky 8 since then,
i.e. is the issue only in errata content?

Do you find anything with:

rpm -q --changelog platform-python | grep -i -10 CVE-2019-9948

Mateusz · November 21, 2023, 2:46pm

Thank you, the command will be useful.

What about

The same case about RLSA-2023:6746 for Rocky Linux 9, will be a security patch released for Rocky Linux 8 or library nghttp2 is safe without any security patches for Rocky Linux 8?

nazunalika · November 21, 2023, 2:57pm

If you know the CVE, you can still look for it in the package’s changelogs, even if the errata is not readily available.

[root@cm01 ~]# dnf repoquery -q nghttp2 --changelog | grep CVE-2023-44487 -B1
* Fri Oct 13 2023 Jan Macku <jamacku@redhat.com> - 1.33.0-5
- fix HTTP/2 Rapid Reset (CVE-2023-44487)