View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000644 | AlmaLinux-10 | General | public | 2026-07-03 01:45 | 2026-07-03 01:45 |
| Reporter | shino | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Summary | 0000644: AlmaLinux 10: advisories removed from errata.full.json while their HTML pages remain published — which source is authoritative? | ||||
| Description | I help maintain the data pipeline of an open-source vulnerability scanner https://github.com/future-architect/vuls/ , which consumes https://errata.almalinux.org/10/errata.full.json. Around 2026-05-19..26, the AlmaLinux 10 errata feed went through a large re-curation: - Many published ALSA advisories disappeared from errata.full.json. Our snapshot of 2026-05-21 contained 279 advisories; during that window the feed shrank to roughly 60, and it has since regrown to 264 (as of 2026-07-02). - Some advisories were re-issued under new IDs, in some cases more than once. Example: CVE-2025-13601 was covered by ALSA-2026:0975, which disappeared and is now covered by ALSA-2026:18344. - However, the static HTML pages of the removed advisories are still published: they return HTTP 200 with full content, and they are still listed in the directory index at https://errata.almalinux.org/10/ (504 ALSA-*.html files vs 264 entries in the current feed). Impact: comparing our 2026-05-21 snapshot with the current feed, the removed advisories referenced 434 unique CVEs, of which only 58 are still referenced by any advisory in the current feed. The remaining 376 CVEs are no longer covered at all. For downstream consumers of the feed (security scanners, SBOM/VEX tooling), this is an effective loss of detection coverage for AlmaLinux 10, while the same advisories still look "published" on the website. Questions: 1. Was the removal of these advisories from errata.full.json an intentional retirement/re-curation, or a side effect of how the feed is regenerated? 2. Which source should downstream consumers treat as authoritative: errata.full.json, the HTML pages, or the updateinfo.xml shipped in the repositories? 3. If the retirement is intentional, could the corresponding HTML pages be removed or marked as retired, so the two sources stay consistent? Conversely, if it is not intentional, could the feed be regenerated to include them again? 4. Is there any announcement or changelog describing this re-curation that we could reference? Other examples absent from the feed but live as HTML: - https://errata.almalinux.org/10/ALSA-2025-21013.html (libssh) - https://errata.almalinux.org/10/ALSA-2025-23479.html (openssh) - https://errata.almalinux.org/10/ALSA-2026-13515.html (freeipmi) - https://errata.almalinux.org/10/ALSA-2026-3517.html (thunderbird) | ||||
| Steps To Reproduce | 1. Fetch https://errata.almalinux.org/10/errata.full.json and confirm it contains 264 advisories, none of which is e.g. ALSA-2025:20095. 2. Open https://errata.almalinux.org/10/ALSA-2025-20095.html — the page is still live with full content (Moderate: kernel security update). 3. Compare https://errata.almalinux.org/10/ (directory index, 504 ALSA-*.html files) with the feed (264 entries). | ||||
| Additional Information | Happy to provide the full list of affected advisory IDs / CVEs if useful. | ||||
| Tags | security | ||||