Explanation of RHSA, RHBA, and RHEA advisories

Updated -

Explanation of RHSA, RHBA, and RHEA advisories

This article explains the differences between RHSA, RHBA, and RHEA advisories. Additionally, the article covers the numbering and renaming of advisories.

What are RHSA, RHBA, and RHEA advisories?

  • RHSA (Red Hat Security Advisory): RHSA advisories contain one or more security fixes, and can also contain bug or enhancements fixes. RHSA advisories outrank both RHBA and RHEA advisories in priority.
  • RHBA (Red Hat Bug Advisory): RHBA advisories always contain one or more bug fixes, may contain enhancements, but do not contain security fixes. Because RHBA advisories are released for bug fixes, an RHBA outranks a RHEA advisory in priority.
  • RHEA (Red Hat Enhancement Advisory): RHEA advisories contain one or more enhancements or new features, and they do not contain bug fixes or security fixes. Essentially, a RHEA is released when new features are added and an updated package is shipped.

Note: Red Hat also uses the term errata as well as advisory; these terms are basically interchangeable. The advisory is the published text; the errata is the packaged release.

What happens if an RHEA or an RHBA is found to have fixed a security flaw?

Sometimes, due to code rebases or software changes later being found to have a security impact, an RHEA or RHBA also addresses a security flaw. For example, CVE-2015-5201 updated packages for the rhev-hypervisor package (essentially a stripped-down Red Hat Enterprise Linux system image designed to provide a host for virtual machines) which were already included in RHEA-2015:2527. The CVE was therefore retroactively added to the RHEA advisory (as can be seen on its web page). However, because the type of advisory (RHEA, RHBA, or RHSA) is part of its URL, the advisory itself is not relabeled as an RHSA to avoid confusion.

How does advisory numbering work?

All advisories are given a year and a sequential number, which starts at 0001 and ends at the number of advisories shipped for that year. So the first advisory may be an RHBA, the second a RHEA, and the third an RHSA, and all are given numbers in the same sequence. This explains why RHSA numbers often skip ahead; the intervening numbers are simply used for RHBA and RHEA advisories. Also, please note that although most advisory numbers are typically assigned shortly before the advisory is released, some are assigned in advance, so when you look at advisories in chronological order, they may not be in numerical order.