New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE shows as High vulnerability but REDHAT says not affected? #24
Comments
@kmeekva, thanks for raising this. Would it be possible to get a pointer to a public image to verify those issues against? I’m happy to take a look. Alternatively a Thanks again. |
I've tried with the following
The resulting image now contains
and
The CVEs are reported are against |
Please feel free to re-open in case this is still an issue. |
RedHat claims that their "fix" for this CVE is included with the -5 version of this package. See the updated packages tab on this page. https://access.redhat.com/errata/RHSA-2021:1631 Because RH 8 is a long term support release they often back port fixes keeping the older version numbered release installed -- they add a -## to the package name that contains the fixes. In this case their version -5 is supposed to include the fix for this CVE, but the system is still running the 1.24.2 version -- but with their fixes backported. So the older package: It looks like their "fixed" RPM does include the files that are triggering your hit. yum provides /usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/PKG-INFO python3-urllib3-1.24.2-5.el8.noarch : Python3 HTTP library with thread-safe connection python3-urllib3-1.24.2-5.el8.noarch : Python3 HTTP library with thread-safe connection pooling and file post @cdupuis Not sure how to re-open this? |
We are running RedHat 8
The package python3-urllib3-1.24.2-5.el8.noarch is installed.
Scout is showing 3 vulnerabilities for this package:
=============
0C 1H 2M 0L urllib3 1.24.2
pkg:pypi/urllib3@1.24.2
=================
For the first one -- https://scout.docker.com/v/CVE-2021-33503 Redhat website says the first is Not Affected
For the 2nd one https://access.redhat.com/security/cve/CVE-2020-26137
Redhat says it is addressed in the version we have installed: https://access.redhat.com/errata/RHSA-2021:1631
( if you click on updated packages it shows python-urllib3-1.24.2-5.el8.src.rpm as being updted.
For the 3rd one https://scout.docker.com/vulnerabilities/id/CVE-2019-11236
It says < <1.24.2-2.el8 is vulnerable -- we have python3-urllib3-1.24.2-5.el8.noarch which is greater -- and is the patched version.
Not sure why these are showing as vulnerabilities when we have patched version from redhat.
Could be something to do with the "version" shown in scout finding only has the point release and not the - redhat modified version that contains the backport of the fixes.
e.g SCOUT thinks we have pkg:pypi/urllib3@1.24.2 but we have 1.24.2-5
The text was updated successfully, but these errors were encountered: