From stefan.bergstein at redhat.com Fri Oct 1 08:03:24 2021 From: stefan.bergstein at redhat.com (Stefan Bergstein) Date: Fri, 1 Oct 2021 10:03:24 +0200 Subject: [scl.org] CVE Info of Red Hat Container images not correct (?) In-Reply-To: References: Message-ID: Hello Sokratis, thank you very much that you took the time for the explanation. It helped a lot. I had a meeting with the customer yesterday. It is still unclear why the RHEL8 repo is marked it as won't fix, but the CVE was fixed in eap7. The customer is going to open support case. Thank you again, Stefan On Thu, Sep 30, 2021 at 1:47 AM Sokratis Zappis wrote: > Hello Stefan, > > On Tue, Sep 28, 2021 at 1:13 PM Stefan Bergstein < > stefan.bergstein at redhat.com> wrote: > >> Hello Sokratis, hi Software Collections team, >> >> I am writing to you because you are listed as maintainer of the Apache >> HTTP 2.4 [Sokratis] and JBoss Web Server 5.5 (OpenJDK8) on UBI 8 [sclorg] >> images. >> >> My customer Bosch raised a security issue about Red Hat Container images >> in the Red Hat Container Catalog [1]. >> In short, software packages in Red Hat Container images are not updated >> according CVE recommendations and/or do not contain the required CVE >> information. >> >> Two examples from the customer's SRE team: >> >> *Apache HTTP 2.4.x * >> >> The CVE-2021-36160 [2] describes that Apache HTTP Server versions 2.4.30 >> to 2.4.48 are impacted. >> The current Red Hat Apache HTTP 2.4 image [3] (1-156, latest, 7 day old) >> contain httpd 2.4.37 and also does not indicate the CVE-2021-36160 >> >> >> *JBoss Web Server 5.5 (OpenJDK8) on UBI 8* >> >> The CVE-2021-29425 [4] describes that Apache Commons IO before 2.7 are >> impacted. The current JBoss Web Server 5.5 (OpenJDK8) on UBI 8 image [5] >> (1.0-51627017160 latest, 2 month old) still contains Apache-commons-io 2.6 >> also does not indicate the CVE-2021-29425. >> >> The customer's SRE team must respond to the Bosch CERT Advisory and is >> requesting the following information: >> >> 1. In both examples, are the CVE not fixed yet? >> >> That is partly right. If you check > https://access.redhat.com/security/cve/CVE-2021-36160 you will see that > no erratum is attached in the relevant column for any platform, which means > that no RHSA has been released yet containing an rpm that addresses this > CVE. For the second CVE > https://access.redhat.com/security/cve/CVE-2021-29425 , you will see that > the the RHEL8 and Software collections have marked it as won't fix, so > again you cannot expect an updated RPM from those channels coming to > address it. In the case of the JWS containers which I'm responsible for, we > as a product are responsible to address CVEs in the scope of our own > product (JWS), all the rest of the packages that are in the container are > inherited/brought by the software collections and the RHEL8 repos. > >> >> 1. CVE-2021-36160 is moderate [6], but the Red Hat Container Catalog >> does not show any information. Is there any reason? >> >> Since no erratum exists which releases an rpm that fixes certain CVE(s) > for a package (httpd in this instance), the relevant containers which > consume this package do not show up as affected, even though the package > itself might be affected. The containers only appear affected to CVEs, if > RHSAs containing RPMs which fix those CVEs have already been released, and > the container images have not yet consumed them to have the latest > available RPM packages installed. > >> >> 1. CVE-2021-29425 seems to be fixed for Red Hat JBoss Enterprise >> Application Platform 7.4 for RHEL 8 but not for the JBoss Web Server 5.5 >> (OpenJDK8) on UBI 8 image, but the Red Hat Container Catalog does not show >> any information. Is there any reason? >> >> If you check the relevant errata columns in > https://access.redhat.com/security/cve/CVE-2021-29425, you will see that > EAP has provided a fix on the following RHSA > , with the updated > package being *eap7-apache-commons-io-2.10.0-1.redhat_00001.1.el8eap.noarch.rpm > . *If you check the rpm contents of the container images though, you will > notice that this package is not installed in the container image, this is > why the CVE does not show up in the container catalog. You can check the > installed packages of JWS and EAP in the following links: JWS 5.5 > (OpenJDK8) on UBI 8 > > and JBoss EAP 7.4 with OpenJDK11 > > . For JWS, we inherit the apache-commons package in our container image > from the RHEL8 repo which has marked it as won't fix, hence no RHSA present > there, so the container doesn't show as affected. My guess is that the same > stands for the EAP container as well, but I'm adding @Ken Wills > who is responsible for the EAP containers to the > thread to comment if needed. > > Please let me also when I misinterpreted the CVE data on the Red Hat >> Container Catalog. >> > > The bottom line is that for the containers' world, what we care about is > the health index, which is calculated against the RPM contents of the > container, and is affected only by Critical and Important CVEs as you can > see here . > > Cheers, > Sokratis > > >> Thank you, >> Stefan >> >> >> [1] https://catalog.redhat.com/software/containers/search >> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160 >> [3] >> https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security >> [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425 >> [5] >> https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=security >> [6] https://access.redhat.com/security/cve/CVE-2021-36160 >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From a_chernovich at inlinetelecom.ru Fri Oct 15 14:36:19 2021 From: a_chernovich at inlinetelecom.ru (Alexander Chernovich) Date: Fri, 15 Oct 2021 17:36:19 +0300 Subject: [scl.org] scl bin path into package Message-ID: Hi all, I am trying to import net-snmp into rh-perl524 SCL(RHEL-7), I need perl SNMP module into SCL, but it need snmp-package recompilation, so I am trying to rewrite spec file, all seems to be OK, but no scl-based path both to bin and lib are used(only system path). I was trying to get path via `%{?scl:PREFIX=%{_scl_root}}`? but it is emty, what I am doing wrong? spec-file in attachment -------------- next part -------------- A non-text attachment was scrubbed... Name: net-snmp.spec Type: text/x-rpm-spec Size: 74939 bytes Desc: not available URL: From ppisar at redhat.com Mon Oct 18 12:52:38 2021 From: ppisar at redhat.com (Petr Pisar) Date: Mon, 18 Oct 2021 14:52:38 +0200 Subject: [scl.org] scl bin path into package In-Reply-To: References: Message-ID: V?Fri, Oct 15, 2021 at 05:36:19PM +0300,?Alexander Chernovich napsal(a): > Hi all, I am trying to import net-snmp into rh-perl524 SCL(RHEL-7), I need > perl SNMP module into SCL, but it need snmp-package recompilation, so I am > trying to rewrite spec file, all seems to be OK, but no scl-based path both > to bin and lib are used(only system path). > > I was trying to get path via `%{?scl:PREFIX=%{_scl_root}}`? but it is emty, > what I am doing wrong? spec-file in attachment > Have you read ? It describes how to create a new collection with depends on rh-perl524 collection. It's maybe too complicated for your use case, but it explains all the macros and dependencies. If you only want to add net-snmp package into rh-perl524 collection, then I would recommend you first to find any existing source package from the collection and then get your system to a state in which rebuilding that source package will produce the same binary packages as provided by the collection. Achieving that state usually means installing rh-perl524-build package which you first need to build from rh-perl524 source package. Finally you can edit net-snmp pakage in a similar way as the collection package you chose at the beginning. > %{?scl:Requires: %{scl}-runtime} > %{?scl:BuildRequires: %{scl}-runtime} > BuildRequires: openssl-devel, bzip2-devel, elfutils-devel > BuildRequires: libselinux-devel, elfutils-libelf-devel, rpm-devel > BuildRequires: %{?scl_prefix}perl-devel, perl(ExtUtils::Embed)%{?scl_prefix}, gawk, procps perl(ExtUtils::Embed) has bad prefix. > %build > %{?scl:scl enable %{scl} - << \EOF} > %{?scl:PREFIX=%{_scl_root}} > set -e > MIBS="host agentx smux \ > ucd-snmp/diskio tcp-mib udp-mib mibII/mta_sendmail \ > ip-mib/ipv4InterfaceTable ip-mib/ipv6InterfaceTable \ > ip-mib/ipAddressPrefixTable/ipAddressPrefixTable \ > ip-mib/ipDefaultRouterTable/ipDefaultRouterTable \ > ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable \ > sctp-mib rmon-mib etherlike-mib" > > %ifnarch s390 s390x > # there are no lm_sensors on s390 > MIBS="$MIBS ucd-snmp/lmsensorsMib" > %endif > > > %configure \ > --prefix="$PREFIX" You don't need to change --prefix=%{__prefix}. %{__prefix} will be automatically redefined if rh-perl524-build is installed. However, if your goal is to build net-snmp while keeping it installed into /usr prefix and only use rh-perl524 Perl for linking and installing its Perl modules, then basically you need to prepend rh-perl524 to Perl dependencies, change %files entries for Perl modules to point deep into /opt/rh/perl524/..., do "scl enable rh-perl524", and then build the package. Crafting the spec file have half of files and dependencies from system, and another half from collection is possible, but requires a high level of knowledge of build process of the given software (net-snmp) and I'm not going to explain it here. I'd recommend you simply building the package as part of the collection. -- Petr -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From ppisar at redhat.com Wed Oct 20 08:28:50 2021 From: ppisar at redhat.com (Petr Pisar) Date: Wed, 20 Oct 2021 10:28:50 +0200 Subject: [scl.org] scl bin path into package In-Reply-To: <6a9b22acc8ac40fc830ef0d77978d2cf@inlinetelecom.ru> References: <6a9b22acc8ac40fc830ef0d77978d2cf@inlinetelecom.ru> Message-ID: V?Tue, Oct 19, 2021 at 03:47:54PM +0000,????????? ????????? napsal(a): > I have corrected scl_prefix a you said, and additionally some small > mistakes. I prepared my system in the way I could successfully compile any > of rh-perl524 SCL packages. Then I tried to compile net-snmp package agin, > now it seems that all path are correct and have valid collection prefix > without hard-coding it. But compilation is falling on the last stage > (Processing files: rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64) : > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/enable > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/etc/scl/prefixes/rh-perl524 > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/root/bin > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/root/boot > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/root/dev > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/etc/opt/rh/rh-perl524/X11 > etc... > That's because of "%{?scl: %scl_files}" you put in all %files sections. %scl_files should only be used at runtime subpackages. See "rpm -ql rh-perl524-runtime". The runtime package is a top-level package of a collection and delivers basic definition of the collection. Becuase you are not creating a new collection, you don't need to package that files. I recommend you removing the "%{?scl: %scl_files}" lines from net-snmp.spec. I also noticed that your spec file has duplicate content from line 646: 641 %changelog 642 * Mon Oct 18 2021 Alexander - 1:5.7.2-49.2 643 - add net-snmp to rh-perl524 SCL 644 645 646 [rpmbuild at stand_vm SPECS]$ cat net-snmp.spec 647 %{?scl:%scl_package net-snmp} 648 %{!?scl:%global pkg_name %{name}} 649 --- Petr -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From eochieng at redhat.com Tue Oct 26 16:19:30 2021 From: eochieng at redhat.com (Edmund Ochieng) Date: Tue, 26 Oct 2021 11:19:30 -0500 Subject: [scl.org] [2 Min Read] Hosting Red Hat Certified Container Images in Connect Message-ID: Hi, My name is Edmund from the Ecosystem Engineering team. Formerly, the Operator Enablement team. Working with Red Hat partners, we run into situations where we end up building container images which may seem generic enough to be used by other partners. I would like to have a chat with someone on the Red Hat Software Collections team to see if we can have these images certified and made available by Red Hat Software Collections. If interested, feel free to reach out to me. -- Edmund Ochieng Software Engineer, Ecosystem Engineering -------------- next part -------------- An HTML attachment was scrubbed... URL: From bgollahe at redhat.com Tue Oct 26 17:08:06 2021 From: bgollahe at redhat.com (Brian Gollaher) Date: Tue, 26 Oct 2021 13:08:06 -0400 Subject: [scl.org] [2 Min Read] Hosting Red Hat Certified Container Images in Connect In-Reply-To: References: Message-ID: Hi Edmund. I'm the product manager for SCLs. Please schedule something and we can talk. I will caution you that we are in the process of releasing our last planned RHSCL release so there are no more planned. For RHEL 8, we can discuss how you could make containers available in the Red Hat container catalog. Brian On Tue, Oct 26, 2021 at 12:22 PM Edmund Ochieng wrote: > Hi, > > My name is Edmund from the Ecosystem Engineering team. Formerly, the > Operator Enablement team. > > Working with Red Hat partners, we run into situations where we end up > building container images which may seem generic enough to be used by other > partners. I would like to have a chat with someone on the Red Hat Software > Collections team to see if we can have these images certified and made > available by Red Hat Software Collections. > > If interested, feel free to reach out to me. > > -- > > Edmund Ochieng > > Software Engineer, > Ecosystem Engineering > > _______________________________________________ > SCLorg mailing list > SCLorg at redhat.com > https://listman.redhat.com/mailman/listinfo/sclorg > -- Brian Gollaher Red Hat Enterprise Linux Experience Product Management Phone: 508 740-6549briang at redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From a.chernovich at inlinetelecom.ru Tue Oct 19 15:48:05 2021 From: a.chernovich at inlinetelecom.ru (=?koi8-r?B?/sXSzs/Xyd4g4czFy9PBzsTS?=) Date: Tue, 19 Oct 2021 15:48:05 -0000 Subject: [scl.org] scl bin path into package In-Reply-To: References: , Message-ID: <6a9b22acc8ac40fc830ef0d77978d2cf@inlinetelecom.ru> Hi, thanks for your answer, my goal just to add snmp library and snmp perl module into rh-perl524 collection (not a separate one). I realized my first mistake -- I was trying to build without specifying collection name, the correct commands to build seems to be "scl enable rh-perl524 bash" then "rpmbuild -bb net-snmp.spec --define 'scl rh-perl524'" I have corrected scl_prefix a you said, and additionally some small mistakes. I prepared my system in the way I could successfully compile any of rh-perl524 SCL packages. Then I tried to compile net-snmp package agin, now it seems that all path are correct and have valid collection prefix without hard-coding it. But compilation is falling on the last stage (Processing files: rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64) : error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/enable error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/etc/scl/prefixes/rh-perl524 error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/root/bin error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/root/boot error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/root/dev error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/etc/opt/rh/rh-perl524/X11 etc... It seems that rpmbuild is trying to build all system root directories structure an insert it into package. I understand that there is some error in my spec but I can't find it, could you, please, help? Modified spec-file with needed patches for perl 5.24 in attachment. -- Thanks to all for help, especially Petr. Best regards, Alexander ________________________________________ ??: sclorg-bounces at redhat.com [sclorg-bounces at redhat.com] от имени Petr Pisar [ppisar at redhat.com] ??????????: 18 ??????? 2021 ?. 15:52 ????: sclorg at redhat.com ????: Re: [scl.org] scl bin path into package V Fri, Oct 15, 2021 at 05:36:19PM +0300, Alexander Chernovich napsal(a): > Hi all, I am trying to import net-snmp into rh-perl524 SCL(RHEL-7), I need > perl SNMP module into SCL, but it need snmp-package recompilation, so I am > trying to rewrite spec file, all seems to be OK, but no scl-based path both > to bin and lib are used(only system path). > > I was trying to get path via `%{?scl:PREFIX=%{_scl_root}}`? but it is emty, > what I am doing wrong? spec-file in attachment > Have you read ? It describes how to create a new collection with depends on rh-perl524 collection. It's maybe too complicated for your use case, but it explains all the macros and dependencies. If you only want to add net-snmp package into rh-perl524 collection, then I would recommend you first to find any existing source package from the collection and then get your system to a state in which rebuilding that source package will produce the same binary packages as provided by the collection. Achieving that state usually means installing rh-perl524-build package which you first need to build from rh-perl524 source package. Finally you can edit net-snmp pakage in a similar way as the collection package you chose at the beginning. > %{?scl:Requires: %{scl}-runtime} > %{?scl:BuildRequires: %{scl}-runtime} > BuildRequires: openssl-devel, bzip2-devel, elfutils-devel > BuildRequires: libselinux-devel, elfutils-libelf-devel, rpm-devel > BuildRequires: %{?scl_prefix}perl-devel, perl(ExtUtils::Embed)%{?scl_prefix}, gawk, procps perl(ExtUtils::Embed) has bad prefix. > %build > %{?scl:scl enable %{scl} - << \EOF} > %{?scl:PREFIX=%{_scl_root}} > set -e > MIBS="host agentx smux \ > ucd-snmp/diskio tcp-mib udp-mib mibII/mta_sendmail \ > ip-mib/ipv4InterfaceTable ip-mib/ipv6InterfaceTable \ > ip-mib/ipAddressPrefixTable/ipAddressPrefixTable \ > ip-mib/ipDefaultRouterTable/ipDefaultRouterTable \ > ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable \ > sctp-mib rmon-mib etherlike-mib" > > %ifnarch s390 s390x > # there are no lm_sensors on s390 > MIBS="$MIBS ucd-snmp/lmsensorsMib" > %endif > > > %configure \ > --prefix="$PREFIX" You don't need to change --prefix=%{__prefix}. %{__prefix} will be automatically redefined if rh-perl524-build is installed. However, if your goal is to build net-snmp while keeping it installed into /usr prefix and only use rh-perl524 Perl for linking and installing its Perl modules, then basically you need to prepend rh-perl524 to Perl dependencies, change %files entries for Perl modules to point deep into /opt/rh/perl524/..., do "scl enable rh-perl524", and then build the package. Crafting the spec file have half of files and dependencies from system, and another half from collection is possible, but requires a high level of knowledge of build process of the given software (net-snmp) and I'm not going to explain it here. I'd recommend you simply building the package as part of the collection. -- Petr -------------- next part -------------- A non-text attachment was scrubbed... Name: net-snmp.tar.gz Type: application/gzip Size: 29206 bytes Desc: net-snmp.tar.gz URL: From a.chernovich at inlinetelecom.ru Wed Oct 20 19:49:32 2021 From: a.chernovich at inlinetelecom.ru (=?koi8-r?B?/sXSzs/Xyd4g4czFy9PBzsTS?=) Date: Wed, 20 Oct 2021 19:49:32 -0000 Subject: [scl.org] scl bin path into package In-Reply-To: References: <6a9b22acc8ac40fc830ef0d77978d2cf@inlinetelecom.ru>, Message-ID: Thanks alot! It is compiling successfully now, the trouble was in %scl_files macros, it was wrong to call it, thanks again! The duplicated lines were because of incorrect copy-pasting, so I have fixed spec file (by direct file coping from SPECS directory), and attach it to this mail. May be it would could be helpful for someone who decide to recompile SNMP perl module for perl SCL. Petr, many thanks again, and sorry for bothering. -- Best regards, Alexander ________________________________________ ??: sclorg-bounces at redhat.com [sclorg-bounces at redhat.com] от имени Petr Pisar [ppisar at redhat.com] ??????????: 20 ??????? 2021 ?. 11:28 ????: sclorg at redhat.com ????: Re: [scl.org] scl bin path into package V Tue, Oct 19, 2021 at 03:47:54PM +0000, ???????? ????????? napsal(a): > I have corrected scl_prefix a you said, and additionally some small > mistakes. I prepared my system in the way I could successfully compile any > of rh-perl524 SCL packages. Then I tried to compile net-snmp package agin, > now it seems that all path are correct and have valid collection prefix > without hard-coding it. But compilation is falling on the last stage > (Processing files: rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64) : > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/enable > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/etc/scl/prefixes/rh-perl524 > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/root/bin > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/root/boot > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/opt/rh/rh-perl524/root/dev > error: File not found: /home/rpmbuild/rpmbuild/BUILDROOT/rh-perl524-net-snmp-5.7.2-49.el7.1.x86_64/etc/opt/rh/rh-perl524/X11 > etc... > That's because of "%{?scl: %scl_files}" you put in all %files sections. %scl_files should only be used at runtime subpackages. See "rpm -ql rh-perl524-runtime". The runtime package is a top-level package of a collection and delivers basic definition of the collection. Becuase you are not creating a new collection, you don't need to package that files. I recommend you removing the "%{?scl: %scl_files}" lines from net-snmp.spec. I also noticed that your spec file has duplicate content from line 646: 641 %changelog 642 * Mon Oct 18 2021 Alexander - 1:5.7.2-49.2 643 - add net-snmp to rh-perl524 SCL 644 645 646 [rpmbuild at stand_vm SPECS]$ cat net-snmp.spec 647 %{?scl:%scl_package net-snmp} 648 %{!?scl:%global pkg_name %{name}} 649 --- Petr -------------- next part -------------- A non-text attachment was scrubbed... Name: net-snmp-v2.tar.gz Type: application/gzip Size: 28910 bytes Desc: net-snmp-v2.tar.gz URL: From ajose at redhat.com Thu Oct 28 20:00:52 2021 From: ajose at redhat.com (Abey Jose) Date: Thu, 28 Oct 2021 20:00:52 -0000 Subject: [scl.org] Need information regarding container image release. Message-ID: Hello Team, On checking the rhel8/httpd-24 container image (1-156) [1], the httpd package httpd-2.4.37-39.module+el8.4.0+9658+b87b2deb.x86_64 is present. But when we check the package details in Red Hat site [2], there is an update available (from 2021-09-30) which fixes the original vulnerability (CVE-2021-40438). The container image (1-156) [1] is affected, since it contains a non-fixed version of httpd. Do we have any idea when an updated container image for httpd24 will be available, that contains a fixed version? Any inputs will be really helpful. Thanks in advance. [1] https://catalog.redhat.com/software/containers/rhel8/httpd-24/5ba0addbbed8bd6ee819856a?container-tabs=packages&tag=1-156&push_date=1632226439000 [2] https://access.redhat.com/downloads/content/rhel---8/x86_64/7443/httpd/2.4.37-39.module+el8.4.0+12865+a7065a39.1/src/fd431d51/package-changelog -- Regards, *Abey Jose* TSE, OpenShift Container Platform TRIED. TESTED. TRUSTED. -------------- next part -------------- An HTML attachment was scrubbed... URL: