View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000291AlmaLinux-8-OTHERpublic2022-08-06 12:572022-09-12 14:10
Reporterap8 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Platformx86_64OSAlmaLinuxOS Version8
Summary0000291: Errata entry missing for httpd
DescriptionAdvisory https://access.redhat.com/errata/RHSA-2022:5163 for CVE-2020-13950 is missing from AlmaLinux errata, but it is present in RockyLinux (https://errata.rockylinux.org/RLSA-2022:5163) and Oracle Linux (https://linux.oracle.com/errata/ELSA-2022-5163.html).
Steps To ReproduceIn RockyLinux:
<code>
[[email protected] ~]# dnf updateinfo --info --all --cve CVE-2020-13950
Last metadata expiration check: 1:23:17 ago on Sat 06 Aug 2022 11:23:52 UTC.
===============================================================================
  Low: httpd:2.4 security update
===============================================================================
  Update ID: RLSA-2022:5163
       Type: security
    Updated: 2022-07-07 20:12:43
       CVEs: CVE-2020-13950
Description: For more information visit https://errata.rockylinux.org/RLSA-2022:5163
   Severity: Low
  Installed: true
[[email protected] ~]#
</code>

In AlmaLimux:
<code>
[[email protected] ~]# dnf updateinfo --info --all --cve CVE-2020-13950
Last metadata expiration check: 1:25:21 ago on Sat 06 Aug 2022 11:20:58 UTC.

[[email protected] ~]#
</code>
TagsNo tags attached.
abrt_hash
URL

Activities

toracat

2022-08-08 23:15

reporter   ~0000656

Just an observation. The output on RHEL 8 looks similar to the one on Alma:

$ sudo dnf updateinfo --info --all --cve CVE-2020-13950
Updating Subscription Management repositories.
Last metadata expiration check: 0:26:50 ago on Mon 08 Aug 2022 03:35:41 PM PDT.

ap8

2022-08-09 09:30

reporter   ~0000657

Thanks @toracat.

I do not have access to a RHEL8 instance so I could not check before reporting the bug. I tried OracleLinux8 and that also behaves like AlmaLinux8 and RHEL8 (i.e. no output).

Nonetheless, I assume there may be something missing in AlmaLinux because if you search for `5163` in https://errata.almalinux.org/ you get nothing, but you get the advisory if you search for the same in RockyLinux (https://errata.rockylinux.org/) and RHEL (https://access.redhat.com/errata-search/#/?q=5163&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&portal_product=Red%20Hat%20Enterprise%20Linux&portal_product_version=8) errata pages.

jacp10

2022-09-06 13:13

reporter   ~0000689

I see the same thing as the original reporter, CVE reported for RHEL updates, not ALMA

On RHEL:
[[email protected]]# dnf updateinfo --info --all --cve CVE-2020-13950
Updating Subscription Management repositories.
Last metadata expiration check: 1:56:39 ago on Tue 06 Sep 2022 12:12:13 BST.
===============================================================================
  Low: httpd:2.4 security update
===============================================================================
  Update ID: RHSA-2022:5163
       Type: security
    Updated: 2022-06-22 10:23:56
       Bugs: 1966738 - CVE-2020-13950 httpd: mod_proxy NULL pointer dereference
       CVEs: CVE-2020-13950
Description: The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
           :
           : Security Fix(es):
           :
           : * httpd: mod_proxy NULL pointer dereference (CVE-2020-13950)
           :
           : For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
   Severity: Low
  Installed: true

On ALMA:
[[email protected]]# dnf updateinfo --info --all --cve CVE-2020-13950
Last metadata expiration check: 2:37:16 ago on Tue 06 Sep 2022 11:32:38 BST.

[[email protected]]#

abotelho

2022-09-12 14:10

reporter   ~0000690

Error: Task /pulp/api/v3/tasks/7c9a2e55-d3cf-4e25-ac1b-941a40c9628a/ failed: 'duplicate key value violates unique constraint "rpm_updatecollection_name_update_record_id_6ef33bed_uniq"
DETAIL: Key (name, update_record_id)=(almalinux-8-for-x86_64-appstream-rpms__8_1_subversion_0, 966da980-5314-419f-872a-3b5a480ba41c) already exists.

This also appears to be breaking my Pulp 3 weekly sync. This is when syncing AlmaLinux 8 BaseOS

Issue History

Date Modified Username Field Change
2022-08-06 12:57 ap8 New Issue
2022-08-08 23:15 toracat Note Added: 0000656
2022-08-09 09:30 ap8 Note Added: 0000657
2022-09-06 13:13 jacp10 Note Added: 0000689
2022-09-12 14:10 abotelho Note Added: 0000690