Errata RHSA/CESA-2022:8900 patching

tedevil · December 19, 2022, 2:17pm

Looked at patching this one using Foreman:
https://access.redhat.com/security/cve/CVE-2022-28733
https://access.redhat.com/errata/RHSA-2022:8900

Since this is CentOS 7 the errata is called CESA-2022:8900.
So applied the patch to a host with REX and see it uses the command:

yum -y  update-minimal --advisory=CESA-2022:8900

It however did not update anything. Running the same yum command manually returns:

No Packages marked for minimal Update

Looking on that is installed:

# yum list installed grub2
Installed Packages
grub2.x86_64                                                 1:2.02-0.87.0.1.el7.centos.9

If I run just “yum update grub2” it notice there is the 1:2.02-0.87.0.1.el7.centos.11 update and want to update it. Anyone knows what is going on here?

# yum update grub2
Resolving Dependencies
--> Running transaction check
---> Package grub2.x86_64 1:2.02-0.87.0.1.el7.centos.9 will be updated
---> Package grub2.x86_64 1:2.02-0.87.0.1.el7.centos.11 will be an update
--> Processing Dependency: grub2-pc = 1:2.02-0.87.0.1.el7.centos.11 for package: 1:grub2-2.02-0.87.0.1.el7.centos.11.x86_64
--> Running transaction check
---> Package grub2-pc.x86_64 1:2.02-0.87.0.1.el7.centos.9 will be updated
---> Package grub2-pc.x86_64 1:2.02-0.87.0.1.el7.centos.11 will be an update
--> Processing Dependency: grub2-common = 1:2.02-0.87.0.1.el7.centos.11 for package: 1:grub2-pc-2.02-0.87.0.1.el7.centos.11.x86_64
--> Processing Dependency: grub2-pc-modules = 1:2.02-0.87.0.1.el7.centos.11 for package: 1:grub2-pc-2.02-0.87.0.1.el7.centos.11.x86_64
--> Processing Dependency: grub2-tools = 1:2.02-0.87.0.1.el7.centos.11 for package: 1:grub2-pc-2.02-0.87.0.1.el7.centos.11.x86_64
--> Processing Dependency: grub2-tools-extra = 1:2.02-0.87.0.1.el7.centos.11 for package: 1:grub2-pc-2.02-0.87.0.1.el7.centos.11.x86_64
--> Processing Dependency: grub2-tools-minimal = 1:2.02-0.87.0.1.el7.centos.11 for package: 1:grub2-pc-2.02-0.87.0.1.el7.centos.11.x86_64
--> Running transaction check
---> Package grub2-common.noarch 1:2.02-0.87.0.1.el7.centos.9 will be updated
---> Package grub2-common.noarch 1:2.02-0.87.0.1.el7.centos.11 will be an update
---> Package grub2-pc-modules.noarch 1:2.02-0.87.0.1.el7.centos.9 will be updated
---> Package grub2-pc-modules.noarch 1:2.02-0.87.0.1.el7.centos.11 will be an update
---> Package grub2-tools.x86_64 1:2.02-0.87.0.1.el7.centos.9 will be updated
---> Package grub2-tools.x86_64 1:2.02-0.87.0.1.el7.centos.11 will be an update
---> Package grub2-tools-extra.x86_64 1:2.02-0.87.0.1.el7.centos.9 will be updated
---> Package grub2-tools-extra.x86_64 1:2.02-0.87.0.1.el7.centos.11 will be an update
---> Package grub2-tools-minimal.x86_64 1:2.02-0.87.0.1.el7.centos.9 will be updated
---> Package grub2-tools-minimal.x86_64 1:2.02-0.87.0.1.el7.centos.11 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================================================
 Package                              Arch                    Version                                          Repository                                    Size
==================================================================================================================================================================
Updating:
 grub2                                x86_64                  1:2.02-0.87.0.1.el7.centos.11                    centos7_updates                   34 k
Updating for dependencies:
 grub2-common                         noarch                  1:2.02-0.87.0.1.el7.centos.11                    centos7_updates                  733 k
 grub2-pc                             x86_64                  1:2.02-0.87.0.1.el7.centos.11                    centos7_updates                   34 k
 grub2-pc-modules                     noarch                  1:2.02-0.87.0.1.el7.centos.11                    centos7_updates                  860 k
 grub2-tools                          x86_64                  1:2.02-0.87.0.1.el7.centos.11                    centos7_updates                  1.8 M
 grub2-tools-extra                    x86_64                  1:2.02-0.87.0.1.el7.centos.11                    centos7_updates                  1.0 M
 grub2-tools-minimal                  x86_64                  1:2.02-0.87.0.1.el7.centos.11                    centos7_updates                  177 k

Transaction Summary
==================================================================================================================================================================
Upgrade  1 Package (+6 Dependent packages)

Total download size: 4.6 M
Is this ok [y/d/N]:

jeremylenz · December 19, 2022, 2:35pm

It seems like the package is available to the host, but the errata itself may not be included in any of the host’s enabled repositories.

If you go in the web UI to Content > Errata and search for that erratum specifically, it’s possible you may not have it. You might need to sync the appropriate repo (and publish a new CV version, if the host isn’t a library host.)

tedevil · December 19, 2022, 2:45pm

It is there for sure since that is the way I search for Errata to apply:

From here I clicked on the errata and selected one of the hosts in the “Content Hosts” list and hit "Apply to Hosts.

and selected Confirm and get the “No Packages marked for minimal Update” message.

jeremylenz · December 19, 2022, 2:51pm

hmm…

If you click on the errata and view its Packages, what’s listed there?

jeremylenz · December 19, 2022, 2:55pm

And do you have any content view filters in use?

tedevil · December 19, 2022, 2:56pm

From the host:

# yum updateinfo list available | grep CESA-2022:8900
CESA-2022:8900              Important/Sec. grub2-efi-aa64-modules-2.02-0.87.0.1.el7.centos.11.noarch
CESA-2022:8900              Important/Sec. grub2-efi-ia32-2.02-0.87.0.1.el7.centos.11.x86_64
CESA-2022:8900              Important/Sec. grub2-efi-ia32-cdboot-2.02-0.87.0.1.el7.centos.11.x86_64
CESA-2022:8900              Important/Sec. grub2-efi-ia32-modules-2.02-0.87.0.1.el7.centos.11.noarch
CESA-2022:8900              Important/Sec. grub2-efi-x64-2.02-0.87.0.1.el7.centos.11.x86_64
CESA-2022:8900              Important/Sec. grub2-efi-x64-cdboot-2.02-0.87.0.1.el7.centos.11.x86_64
CESA-2022:8900              Important/Sec. grub2-efi-x64-modules-2.02-0.87.0.1.el7.centos.11.noarch
CESA-2022:8900              Important/Sec. grub2-i386-modules-2.02-0.87.0.1.el7.centos.11.noarch
CESA-2022:8900              Important/Sec. grub2-ppc-modules-2.02-0.87.0.1.el7.centos.11.noarch
CESA-2022:8900              Important/Sec. grub2-ppc64-modules-2.02-0.87.0.1.el7.centos.11.noarch
CESA-2022:8900              Important/Sec. grub2-ppc64le-modules-2.02-0.87.0.1.el7.centos.11.noarch

One more command:

yum  update --advisory=CESA-2022:8900
 --> 1:grub2-tools-minimal-2.02-0.87.0.1.el7.centos.9.x86_64 from @centos7-updates-x86-64 removed (updateinfo)
 --> 1:grub2-2.02-0.87.0.1.el7.centos.9.x86_64 from @centos7-updates-x86-64 removed (updateinfo)
 --> 1:grub2-pc-modules-2.02-0.87.0.1.el7.centos.11.noarch from centos7_centos7_updates removed (updateinfo)
 --> 1:grub2-common-2.02-0.87.0.1.el7.centos.9.noarch from @centos7-updates-x86-64 removed (updateinfo)
 --> 1:grub2-tools-2.02-0.87.0.1.el7.centos.9.x86_64 from @centos7-updates-x86-64 removed (updateinfo)
 --> 1:grub2-tools-extra-2.02-0.87.0.1.el7.centos.11.x86_64 from centos7_centos7_updates removed (updateinfo)
 --> 1:grub2-pc-2.02-0.87.0.1.el7.centos.9.x86_64 from @centos7-updates-x86-64 removed (updateinfo)
 --> tzdata-2022f-1.el7.noarch from @centos7_centos7_updates removed (updateinfo)
 --> 1:grub2-tools-2.02-0.87.0.1.el7.centos.11.x86_64 from centos7_centos7_updates removed (updateinfo)
 --> 1:grub2-pc-modules-2.02-0.87.0.1.el7.centos.9.noarch from @centos7-updates-x86-64 removed (updateinfo)
 --> 1:grub2-2.02-0.87.0.1.el7.centos.11.x86_64 from centos7_centos7_updates removed (updateinfo)
 --> 1:grub2-tools-extra-2.02-0.87.0.1.el7.centos.9.x86_64 from @centos7-updates-x86-64 removed (updateinfo)
 --> 1:grub2-tools-minimal-2.02-0.87.0.1.el7.centos.11.x86_64 from centos7_centos7_updates removed (updateinfo)
 --> 1:grub2-pc-2.02-0.87.0.1.el7.centos.11.x86_64 from centos7_centos7_updates removed (updateinfo)
 --> 1:grub2-common-2.02-0.87.0.1.el7.centos.11.noarch from centos7_centos7_updates removed (updateinfo)
 --> tzdata-2022g-1.el7.noarch from centos7_centos7_updates removed (updateinfo)
No packages needed for security; 8 packages available

tedevil · December 19, 2022, 3:11pm

No content views or filters used so host see all repos/packages. It seems the problem is only related to this errata. Can not apply this errata to any of the hosts but can apply any other errata to the hosts without any problems.
That message “No packages needed for security; 8 packages available” feels a little suspicious.

tedevil · December 19, 2022, 3:36pm

# yum list-security
CEBA-2022:8785 bugfix tzdata-2022g-1.el7.noarch
updateinfo list done

And of course if I try to apply the CEBA-2022:8785 errata it works:

yum update-minimal --advisory=CEBA-2022:8785

I just do not understand what happened to the CESA-2022:8900. It is like yum for some reason does not consider it a security update even though it is tagged as one everywhere I look.

jeremylenz · December 19, 2022, 3:40pm

The “CVEs” are listed as “N/A”; I wonder if that has something to do with it…

tedevil · December 19, 2022, 4:43pm

I think that is normal for CentOS 7 errata since they are “custom”. Looking on a errata that works fine to apply:

No big deal if it does not work as expected I guess, Can always just patch it with REX and “yum -y update grub2”.
Could for sure be related to a bug in GitHub - vmfarms/generate_updateinfo perhaps that is used to generate the errata. Looking on the generated xml code I for sure could not see the problem though.