Problem:
Our security group is complaining about a vulnerability in rh-postgresql12-5. There is no update in rh-postgresql12. We also sync postgresql.org v.12 packages. Is there anything special about rh-postgresql12 or can we switch to postgresql.org to obtain current 12-7 packages?
Expected outcome:
Keep our security group quiet.
Foreman and Proxy versions:
2.3.5
Foreman and Proxy plugin versions:
consistent with foreman 2.3.5
Distribution and version:
OL7.9
Other relevant data:
N/A
At least today we only create an RPM for postgresql-evr in rh-postgesql12. This is also why our installer doesn’t really support using the postgresql.org packages. In theory you could add settings to custom-hiera.yaml (pretty much undo foreman-installer/RedHat-7.yaml at 8362b7259643bc2191595043b2f25a46a91ac73e · theforeman/foreman-installer · GitHub) but then you also need to provide the evr package.
Perhaps you can share which CVE they’re complaining about. Then we can see what the plan is to fix this in rh-postgresql12.
They cite:
CVE-2021-32027 (CVE-2021-32027 : A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While)
CVE-2021-3393 (CVE-2021-3393 : An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UP)
My opinion or yours about the severity of these issues is not relevant. Our environment is audited quarterly against various criteria and compliance is not optional.
RedHat updated to 12.7: Red Hat Customer Portal - Access to 24x7 support and knowledge
So it’s just a matter of time until it gets into CentOS SCLo?
Indeed, this should be fixed in RHEL already. I don’t know Oracle’s policies around rebuilding, but that’s where you should be looking IMHO.
No, the Postgresql packages come from SCLo, so whatever Oracle is doing does not matter. In any case, I would certainly not expect Oracle to make any effort to support Postgresql more than they must.
The majority of our systems are RHEL 7 & 8. The Foreman server is a legacy system. We have plans to migrate it to RHEL 8, but have not yet done that.
@ekohl - “Perhaps you can share which CVE they’re complaining about. Then we can see what the plan is to fix this in rh-postgresql12.”
Is this something you will do? If I can provide a timeline and explanation to Security, I can obtain a temporary waiver.
As @gvde said: it’s already fixed in RHEL.
If you have a security department which cares about this, I’d strongly consider using RHEL. SCLo doesn’t really give any guarantees about security updates and it looks like Oracle doesn’t rebuild the Red Hat collections.
As noted above, we are transitioning Foreman to RHEL but are not yet there.
So, postgresql-evr supplied in pulpcore will work with RHEL Postgresql12 packages but not those from postgresql.org?
Apologies, I missed that line.
That is correct. If you do encounter any problems on RHEL, that’s a bug we must resolve.
As for CentOS SCLo: looking at their CI it appears they have built 12.7 packages but have not yet been released. SpecialInterestGroup/SCLo - CentOS Wiki suggests you can get them from testing:
yum-config-manager --enable centos-sclo-rh-testing
yum update rh-postgresql12*
@ekohl - Thanks for that. Our procedures do not allow unreleased packages but this information is sufficient to placate them until release. I’ll do what I can to accelerate transition.
I was told that it may be an infra issue and was advised to open an issue:
https://pagure.io/centos-infra/issue/381
It seems the new version is available in CentOS SCLo RH now.
Thanks, @gvde. I was able to patch this morning before AWX started the monthly publish/promote cycle. That should keep Security happy until they’re not.