Python-gofer-2.12.5-3.el7 and python-gofer-qpid-2.12.5-3.el7 found vulnerable in vulnerabilities security scan

Hello,

python-gofer-2.12.5-3.el7 and python-gofer-qpid-2.12.5-3.el7 are found vulnerable in vulnerabilities security scan, is it safe to remove them? since we are not using the katello agent.
I could not find the updated packages available in the pulp repository, if removing the packages are not safe may I know when there will be updated packages available?.

Problem: python-gofer-2.12.5-3.el7 and python-gofer-qpid-2.12.5-3.el7 found vulnerable in vulnerabilities security scan

Expected outcome: An updated version of python-gofer and python-gofer-qpid packages or is it okay to remove the packages python-gofer-2.12.5-3.el7, python-gofer-qpid-2.12.5-3.el7 since we are not using Katello agent.

Foreman and Proxy versions: 2.1.4

Foreman and Proxy plugin versions: 2.1.4, Katello 3.16.1.2, foreman-tasks 2.0.2, foreman_docker 5.0.0

Distribution and version: Red Hat Enterprise Linux 7.9

Other relevant data:

Thanks in advance,
Balaji Sankaran.

Hello,

I don’t believe these packages can be removed from the Katello server since they’re used by Pulp. What exactly is the security concern that your tool is reporting?

Hello Jonathan,

The security vulnerabilities scan report came up with vulnerability title “Red Hat: CVE-2019-3845: Important: Red Hat Satellite Tools security update (RHSA-2019:1223)”, vulnerability proof “Vulnerable OS: Red Hat Enterprise Linux 7.9, python-gofer - version 2.12.5-3.el7 is installed”, vulnerability CVSS Score “5.2”.

Best regards,
Balaji.

Well check the page at redhat on the CVE-2019-3845. It has been fixed with errata RHSA-2019:1223 which includes gofer-2.12.5-3. So basically version 2.12.5-3 is the fixed version for that CVE. I don’t know why your scanner thinks 2.12.5-3 is vulnerable to CVE-2019-3845. To me, it looks fine if information from redhat is correct.

1 Like

Hello Jonathan,

Thank you for pointing out the Errata RHSA-2019:1223.

Best regards,
Balaji.