I’m currently using https://fedorapeople.org/groups/katello/releases/yum/3.8/client/el7/x86_64 (which does install on CentOS 7 and work) but my Nessus vulnerability scanner is telling me that I’m out of date and vulnerable. Specifically that python-gofer should be 2.12.5-3.el7 and not the 2.12.1-1.el7 version contained in the repo.
What is the proper upstream repo?
Is there a better place to ask/ report? I’m assuming I’m not using the right upstream as opposed to the maintainer needs to update.
Repository was moved to http://yum.theforeman.org/client/1.22/el7/x86_64/, but still contains the version of python-gofer. Not sure who is responsible for it, but looking at the changelog for gofer I would hope @evgeni can help.
Correct, the URL Dirk mentioned is the new one for “all things client” (for both Foreman and Katello), but it still contains the old version of gofer.
We are, in a way, upstream for gofer packaging, as we do it for Pulp. And we even have a build for 2.12.5-3 in our build infra, it just never was copied over from the pulp repo to the foreman/katello one.
I’ll see that this gets fixed soon.
Sorry to bother again - but I don’t see the update in the repo indicated. Do you have an ETA on when I can expect this?
Hey,
we have updated gofer for the upcoming Foreman/Katello release (1.23/3.13) and you can use the repos for that release (https://yum.theforeman.org/client/1.23/el7/x86_64/?C=M;O=D) also on older installations. For the current stable releases they will go out when we do the next z-stream (which for Katello 3.12 should be really soon).
Evgeni
Thanks very much.
I updated my repos and confirmed the vulnerabilities were resolved in Nessus after a yum update from the latest content view.
Just a note (in case anyone has the same issue) I had to also update the GPG and they change per release, which is a little more other than other repos. Granted, the instructions here https://yum.theforeman.org/ are very good and made it easy to find the right key.
Yeah, we sign each release with a separate key and given you were still (officially) on an older release, that key was not imported yet into your system.
Great that it worked for you. Thanks for testing!
I’ve now also pushed the same RPM into 1.22/3.12 