View Issue Details

IDProjectCategoryView StatusLast Update
0000644AlmaLinux-10Generalpublic2026-07-03 01:45
Reportershino Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Summary0000644: AlmaLinux 10: advisories removed from errata.full.json while their HTML pages remain published — which source is authoritative?
DescriptionI help maintain the data pipeline of an open-source vulnerability scanner
https://github.com/future-architect/vuls/ , which consumes https://errata.almalinux.org/10/errata.full.json.

Around 2026-05-19..26, the AlmaLinux 10 errata feed went through a large
re-curation:

- Many published ALSA advisories disappeared from errata.full.json.
  Our snapshot of 2026-05-21 contained 279 advisories; during that window
  the feed shrank to roughly 60, and it has since regrown to 264
  (as of 2026-07-02).
- Some advisories were re-issued under new IDs, in some cases more than
  once. Example: CVE-2025-13601 was covered by ALSA-2026:0975, which
  disappeared and is now covered by ALSA-2026:18344.
- However, the static HTML pages of the removed advisories are still
  published: they return HTTP 200 with full content, and they are still
  listed in the directory index at https://errata.almalinux.org/10/
  (504 ALSA-*.html files vs 264 entries in the current feed).

Impact: comparing our 2026-05-21 snapshot with the current feed, the
removed advisories referenced 434 unique CVEs, of which only 58 are still
referenced by any advisory in the current feed. The remaining 376 CVEs are
no longer covered at all. For downstream consumers of the feed (security
scanners, SBOM/VEX tooling), this is an effective loss of detection
coverage for AlmaLinux 10, while the same advisories still look
"published" on the website.

Questions:
1. Was the removal of these advisories from errata.full.json an
   intentional retirement/re-curation, or a side effect of how the feed
   is regenerated?
2. Which source should downstream consumers treat as authoritative:
   errata.full.json, the HTML pages, or the updateinfo.xml shipped in
   the repositories?
3. If the retirement is intentional, could the corresponding HTML pages
   be removed or marked as retired, so the two sources stay consistent?
   Conversely, if it is not intentional, could the feed be regenerated
   to include them again?
4. Is there any announcement or changelog describing this re-curation
   that we could reference?

Other examples absent from the feed but live as HTML:
- https://errata.almalinux.org/10/ALSA-2025-21013.html (libssh)
- https://errata.almalinux.org/10/ALSA-2025-23479.html (openssh)
- https://errata.almalinux.org/10/ALSA-2026-13515.html (freeipmi)
- https://errata.almalinux.org/10/ALSA-2026-3517.html (thunderbird)

Steps To Reproduce1. Fetch https://errata.almalinux.org/10/errata.full.json and confirm it
   contains 264 advisories, none of which is e.g. ALSA-2025:20095.
2. Open https://errata.almalinux.org/10/ALSA-2025-20095.html — the page
   is still live with full content (Moderate: kernel security update).
3. Compare https://errata.almalinux.org/10/ (directory index, 504
   ALSA-*.html files) with the feed (264 entries).
Additional InformationHappy to provide the full list of affected advisory IDs / CVEs if useful.
Tagssecurity

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2026-07-03 01:45 shino New Issue
2026-07-03 01:45 shino Tag Attached: security