Red Hat Security Metadata Changelog

Updated -

This page provides a changelog for Red Hat security metadata. This mostly covers files present and linked from Red Hat Security Data page as well as content displayed on CVE pages.

Oct 13, 2021


  • vulnerability definitions inside *-including-unpatched-* OVAL files now include a list of resolutions for each affected component for all unfixed CVEs. The resolutions match those listed on the CVE page and are one of: Affected, Under investigation, Will not fix, Out of support scope, and Fix deferred. CVEs that do not affect a particular product and component continue to be listed in vulnerability definitions within the com.redhat.unaffected namespace.

  • OVAL v2 files are now served with a correct content type: application/x-bzip2 instead of application/x-tar.

Aug 26, 2021

Security Data files are now available from the domain (e.g. /oval/v2/RHEL8). Index pages are no longer rendered using Apache HTTPD but are generated for each directory using fancy-index as inspiration.


  • Advisories use container image names (e.g. openshift4/network-tools-rhel8:v4.7.0-202105071917.p0) instead of build NVR (e.g. ose-network-tools-container-v4.7.0-202105071917.p0) in <FullProductName> elements that specify components.


April 26, 2021


  • The cve elements in the advisory node now use product-specific security impact when available (normally used when impact on product is lower than general impact of the vulnerability itself).

April 20, 2021


  • Include affected_cpe_list element in vulnerability definitions inside *-including-unpatched-* OVAL files.
  • Add a check for Red Hat CoreOS 4 to all RHEL-8 OVAL files. This enables use of RHEL 8 OVAL files to test Red Hat CoreOS installations.

February 2, 2021


  • Include cve elements in metadata for vulnerability definitions inside *-including-unpatched-* OVAL files.
  • Include updated element in metadata for vulnerability definitions inside *-including-unpatched-* OVAL files.
  • Correct severity and title for each advisory element to use correct security impact on per-product basis in *-including-unpatched-* OVAL files. This impact should match respective product CVE impact shown on CVE pages.
  • Provide corrected list of cpe elements in affected_cpe_list for each advisory in fixed OVAL files. This is mostly important for extended update support releases which combine content from earlier releases and used to have incorrect list of CPEs included.

January 19, 2021


  • The <bugzilla> elements in the <advisory> node now include only Bugzilla bug IDs related to CVEs addressed in the related advisory.
  • The cve elements in the advisory node now specify a full CWE chain instead of individual whitespace-separated CWE IDs.
  • *-debuginfo-* packages are now excluded from *-including-unpatched-* OVAL files (they are already excluded from all other OVAL files).
  • Kernel live patching kpatch advisories are included in OVAL files. Some caveats for OVAL scanning and kpatch are documented in Customer Portal.

December 9, 2020

This is an initial changelog summarizing changes for the past year.


  • OVAL tests for kernel-rt packages are corrected for some corner cases.
  • Additional unfixed OVAL streams for several products are now available.
  • In select cases, more granular information is available for impacted binary packages (usually excluding packages such as kernel-headers from OVAL tests).


  • CVRF documents are now available for advisories released before 2010.
  • CPE identifiers are now present in <FullProductName> nodes.
  • Container images are now partially supported in CVRF documents.


  • Addition of repository-to-cpe.json file which can be used to help identify OVAL streams to use for scanning.
  • Order cpe-dictionary.xml alphabetically.
  • CVE pages with incorrect impact caused by impact changing to none after initial investigation are now fixed.
  • Core OS packages are now listed in affected packages on CVE pages.