View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000349 | AlmaLinux-8 | dnf | public | 2022-12-21 19:01 | 2022-12-22 16:09 |
| Reporter | cPanelSrTechAnalysts | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Summary | 0000349: AlmaLinux 8 yum/dnf repos provide out of date version of libzip | ||||
| Description | Currently, both versions of libzip (1.5.1-2 and 1.5.2-1) exist here: https://repo.almalinux.org/almalinux/8/AppStream/x86_64/os/Packages/ But for some reason, 1.51-2 is still getting grabbed by dnf and cannot be updated. # rpm -q libzip libzip-1.5.1-2.module_el8.3.0+2010+7c76a223.x86_64 # dnf update libzip Last metadata expiration check: 3:14:28 ago on Wed 21 Dec 2022 01:41:45 PM UTC. Dependencies resolved. Nothing to do. Complete! # dnf update Last metadata expiration check: 3:14:32 ago on Wed 21 Dec 2022 01:41:45 PM UTC. Dependencies resolved. Nothing to do. Complete! # rpm -q libzip libzip-1.5.1-2.module_el8.3.0+2010+7c76a223.x86_64 | ||||
| Steps To Reproduce | # rpm -e --nodeps libzip # dnf install libzip Last metadata expiration check: 0:36:05 ago on Wed 21 Dec 2022 06:01:22 PM UTC. Dependencies resolved. ============================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================= Installing: libzip x86_64 1.5.1-2.module_el8.3.0+2010+7c76a223 appstream 61 k Transaction Summary ============================================================================================================================================================= Install 1 Package Total download size: 61 k Installed size: 108 k Is this ok [y/N]: | ||||
| Additional Information | This is causing our AWS Marketplace listing to be removed. Amazon has a security scanner that looks for packages related to known CVEs. Although this version of libzip isn't directly affected, it was mentioned as one of the updated packages in connection with CVE-2019-11043 (SEE: https://errata.almalinux.org/8/ALSA-2019-3735.html ). It appears that Amazon's scanner, not knowing any better, assumes that all listed packages are vulnerable. | ||||
| Tags | No tags attached. | ||||
| abrt_hash | |||||
| URL | |||||
|
|
Apologies. We found that the issue is not with AlmaLinux, but with Amazon. We found that on AL8, libzip is provided by the 'php' dnf module; switching from php 7.2 to 7.3 (dnf -y module switch-to php:7.3) also causes libzip 1.5.2-1 version to be pulled in. This solution works for us because it doesn't require circumventing the packaging system. It would still be helpful if the AL8 EC2 image were compatible with the AWS security scanner, but that's not a packaging issue. We can close this ticket out. Sorry for any confusion. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-12-21 19:01 | cPanelSrTechAnalysts | New Issue | |
| 2022-12-22 16:09 | cPanelSrTechAnalysts | Note Added: 0000778 |
