python-gofer-2.12.5-3.el7 and python-gofer-qpid-2.12.5-3.el7 are found vulnerable in vulnerabilities security scan, is it safe to remove them? since we are not using the katello agent.
I could not find the updated packages available in the pulp repository, if removing the packages are not safe may I know when there will be updated packages available?.
Problem: python-gofer-2.12.5-3.el7 and python-gofer-qpid-2.12.5-3.el7 found vulnerable in vulnerabilities security scan
Expected outcome: An updated version of python-gofer and python-gofer-qpid packages or is it okay to remove the packages python-gofer-2.12.5-3.el7, python-gofer-qpid-2.12.5-3.el7 since we are not using Katello agent.
I don’t believe these packages can be removed from the Katello server since they’re used by Pulp. What exactly is the security concern that your tool is reporting?
The security vulnerabilities scan report came up with vulnerability title “Red Hat: CVE-2019-3845: Important: Red Hat Satellite Tools security update (RHSA-2019:1223)”, vulnerability proof “Vulnerable OS: Red Hat Enterprise Linux 7.9, python-gofer - version 2.12.5-3.el7 is installed”, vulnerability CVSS Score “5.2”.
Well check the page at redhat on the CVE-2019-3845. It has been fixed with errata RHSA-2019:1223 which includes gofer-2.12.5-3. So basically version 2.12.5-3 is the fixed version for that CVE. I don’t know why your scanner thinks 2.12.5-3 is vulnerable to CVE-2019-3845. To me, it looks fine if information from redhat is correct.