Problem:
Our security group is complaining about a vulnerability in rh-postgresql12-5. There is no update in rh-postgresql12. We also sync postgresql.org v.12 packages. Is there anything special about rh-postgresql12 or can we switch to postgresql.org to obtain current 12-7 packages?
Expected outcome:
Keep our security group quiet.
Foreman and Proxy versions:
2.3.5
Foreman and Proxy plugin versions:
consistent with foreman 2.3.5
My opinion or yours about the severity of these issues is not relevant. Our environment is audited quarterly against various criteria and compliance is not optional.
No, the Postgresql packages come from SCLo, so whatever Oracle is doing does not matter. In any case, I would certainly not expect Oracle to make any effort to support Postgresql more than they must.
The majority of our systems are RHEL 7 & 8. The Foreman server is a legacy system. We have plans to migrate it to RHEL 8, but have not yet done that.
If you have a security department which cares about this, I’d strongly consider using RHEL. SCLo doesn’t really give any guarantees about security updates and it looks like Oracle doesn’t rebuild the Red Hat collections.
That is correct. If you do encounter any problems on RHEL, that’s a bug we must resolve.
As for CentOS SCLo: looking at their CI it appears they have built 12.7 packages but have not yet been released. SpecialInterestGroup/SCLo - CentOS Wiki suggests you can get them from testing:
@ekohl - Thanks for that. Our procedures do not allow unreleased packages but this information is sufficient to placate them until release. I’ll do what I can to accelerate transition.
Thanks, @gvde. I was able to patch this morning before AWX started the monthly publish/promote cycle. That should keep Security happy until they’re not.