[scl.org] ubi8/nodejs14 update request

Petr Kubat pkubat at redhat.com
Wed May 12 10:30:23 UTC 2021

Hi Jim,

as was already said, the CVE fix already shipped (I guess your mail was 
stuck in some moderation queue?) and the image rebuilt to incorporate 
the fix.
So just for the record - the grade of the image only gets dropped when 
the CVE is actually fixed in the specific RHEL or RHSCL version and will 
drop lower the longer it takes to rebuild the image to add the CVE fix 
in. If there is a known vulnerability but the fix for it is not yet 
shipped, then the images will stay in grade A.


On 2/8/21 10:08 PM, Jim Knochelmann wrote:
> Hello,
> I am interested in a version bump to image 
> https://catalog.redhat.com/software/containers/ubi8/nodejs-14/5ed7887dd70cc50e69c2fabb 
> <https://catalog.redhat.com/software/containers/ubi8/nodejs-14/5ed7887dd70cc50e69c2fabb> 
> .
> There seems to be a discrepancy between the "security" tab, which is 
> reporting a health index of "A" with no problems, and Red Hat's 
> security info for nodejs 14 on RHEL 8: 
> https://access.redhat.com/security/cve/CVE-2020-8277 
> <https://access.redhat.com/security/cve/CVE-2020-8277> which shows 
> that CVE-2020-8277 has not yet been fixed.  Is CVE-2020-8277 a 
> security concern?  It is possible that I am just interpreting the 
> reports incorrectly.
> If you are available on IBM slack, I am up at @JimKnochelmann .
> Thank you,
> Jim Knochelmann
> Software Engineer
> IBM Watson - Natural Language Understanding
> +1 (720) 515-4454
> jim.knochelmann at ibm.com
> _______________________________________________
> SCLorg mailing list
> SCLorg at redhat.com
> https://listman.redhat.com/mailman/listinfo/sclorg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/sclorg/attachments/20210512/6524297e/attachment.htm>

More information about the SCLorg mailing list