CVE patching strategy


How do you handle patches which should be installed asap on all systems / stages?

I would have to publish a new version of the regarding content views and promote all stages to the same version in order to have the security-patched packets available?

Is there a “convinient” way handle these cve’s?

Thanks very much!

What you are looking for are the so called incremental content views which are created when you want to have an errata installed on all systems without the full staging process.

This should be the subsection of the documentation for this workflow, but you should probably read the whole section if something is unclear: Content Management Guide


Thank you for your reply.

I see that in our installation only rhel errata are included.
How could I provide errata for centos 7 and centos stream?

If I understood that correctly this isn’t officially implemented yet and it seems that there currently some troubles when using pulp 3?

Is there another way to provide CVE’s in a fast way?

thanks for any input!

Yes, unfortunately CentOS does not provide the updateinfo metadata in their repositories.
I have not needed it in a while, but from different threads here I had the impression that it was working again with pulp 3. But I think @iballou will know this for sure.

But while the GUI has the workflow only implemented for erratas, using the API it is also possible for packages. So this could be a workaround if errata support for an OS is not available.

1 Like

The more convenient way to handle emergency updates is with the incremental update feature. You can add errata or RPMs from main repositories to content view versions directly with it. It will create a “point-release” of the content view version with your added content.

There is a bug around incremental update right now unless you’re using content view filters: Bug #34357: Incremental CV update fails with 400 HTTP error - Katello - Foreman

Related thread: Unable to publish an incremental CV update - #6 by lumarel

We’re working on it right now so it should be addressed soon.