Red Hat Security Data Changelog
Updated -
This page provides a changelog for Red Hat security metadata. This mostly covers files present and linked from Red Hat Security Data page as well as content displayed on CVE pages and announcements sent to the rhsa-announce mailing list.
May 18, 2023
SBOM
- Software Bill Of Material (SBOM) files are now available for most Red Hat offerings in beta form at https://access.redhat.com/security/data/sbom/beta/spdx/.
Metadata
- A security.txt file is now available under https://www.redhat.com/.well-known/security.txt; see https://securitytxt.org/ and RFC 9116 for more information.
April 28, 2023
SBOM
- Software Bill Of Material (SBOM) files are now available for core Red Hat offerings in beta form at https://access.redhat.com/security/data/sbom/beta/spdx/. For more information about these files as well as changes that are coming to the rest of security data, please see The future of Red Hat security data blog post.
April 5, 2023
OVAL
- OVAL v1 content is no longer being updated; see https://access.redhat.com/OVAL_v1_deprecation_announcement for more information.
- EUS-specific repositories (e.g.
rhel-9-for-x86_64-highavailability-eus-rpms
) in the repository-to-cpe.json file no longer include non-EUS CPEs (e.g.cpe:/a:redhat:enterprise_linux:9::highavailability
).
CVE
- External References of each CVE page now include links to the same CVE in the CVE List and NIST NVD.
March 7, 2023
CSAF/VEX
- Per-year folders now correctly use the year that the advisory was issues, not the year that is a part of its ID.
- The changes.csv file now uses correctly quoted parts and an ISO 8601 format date time.
- The description of the Issuing Authority has been updated.
- The canonical URL in each advisory was corrected.
- Unfixed/unaffected components are no longer listed in the
vendor_fix
remediation listed for each vulnerability.
Data Files
- The cvemap.xml file is now available in compressed form: cvemap.xml.bz2. It is recommended to migrate your scripts to use this file; the uncompressed version may be removed in the nearby future.
February 1, 2023
CSAF/VEX
- CSAF files using the VEX profile are now available at https://access.redhat.com/security/data/csaf/v2/advisories/ for production use. These files contain vulnerability information for each released Red Hat security advisory. For more information, see the CSAF VEX documents now generally available blog post.
December 7, 2022
OVAL
- The repository-to-cpe.json file now includes a new attribute (
repo_relative_urls
) for each CDN repository that contains a list of relative URLs pointing to that CDN repo. These URLs can be used instead of the CDN repo names to uniquely identify a repo and map it to a CPE. - CPEs for products that have not yet been released are no longer included in the repository-to-cpe.json file; similarly OVAL stream files for such products are not generated either (SECDATA-14).
- Removed the following CPE lists for retired products that were available under /security/data/metrics/:
cpelist-critical-browsers.txt
,cpelist-critical-helix.txt
,cpelist-critical-moz.txt
,cpelist-rhel4.8as-default-install.txt
,cpelist-rhel4as-default-install.txt
,cpelist-rhel4ws-default-install.txt
,cpelist-rhel4ws-full-install.txt
,cpelist-rhel5.6eus.txt
,cpelist-rhel5server-default-install.txt
,cpelist-rhel5server-u6-default-install.txt
,cpelist-sjis.txt
.
October 24, 2022
OVAL
- Fixed refresh logic for OVAL definitions that could for some CVEs ignore new changes and appear to conflict with other existing OVAL definitions (SECDATA-176).
October 3, 2022
OVAL
- Fixed incorrectly excluded
jenkins
andjenkins-2-plugins
components from being included in OpenShift 4.x on RHEL 8 OVAL files (SECDATA-27).
August, 29, 2022
OVAL
- Fixed incorrect OpenShift version in the CPE used in the
openshift-4-including-unpatched
OVAL files for RHEL7 and 8 (SECDATA-26).
July 26, 2022
CSAF
- Rename the CSAF provider metadata file's
pgp_keys
item topublic_openpgp_keys
, per the latest CSAF specification.
RHSA Announcements
- Fix a bug that caused errata announcements to almost never be sent to the rhsa-announce mailing list.
July 6, 2022
Customer Portal
- Include an extra Red Hat certificate on our public OpenPGP key page.
CVE
- Update links in CVE page FAQ content.
RHSA Announcements
- Fix a bug that could cause some errata announcements to be sent to the rhsa-announce mailing list twice.
June 17, 2022
CVE
- Fix a bug where CVE pages may not show the CVE's summary in some cases.
June 9, 2022
OVAL
- OVAL files are now available for RHEL 9: /oval/v2/RHEL9/.
May 17, 2022
CSAF
- CSAF files are now available in beta form, as a successor to CVRF files. More details will be shared in an upcoming blog post.
Customer Portal
- Fixed a caching bug that could cause multiple requests to show different data, even though content had not changed.
- Include the certificates Red Hat uses to sign Ansible content on our public OpenPGP key page.
- Links in index directories now have a trailing slash appended automatically.
CVE
- Fixed a matching bug that could report a truncated CPE as affected instead of the full CPE, when only the CPE prefix matched.
Metrics
- IAVA IDs are no longer included in the CVE map file since this data is no longer available.
OVAL
- Modular RPM OVAL files now always report criteria inside an OR criteria object, to simplify OVAL parsing.
- RHEL 7 OVAL files now allow multiple affects entries for a single product version.
Mar 7, 2022
OVAL
- The
oval/v2/RHEL8/openstack-16.oval.xml.bz2
file was split into multiple files, one for each minor OpenStack 16 release. - Unfixed OVAL files now include the same CVE descriptions as are displayed on the CVE pages.
Metrics
- Added a container-name-to-repos-map.json file which can be used to map a container name label to its external repository name. If a name label is not present in this file, it is assumed the name label matches the external repository name in the CVE data.
Feb 8, 2022
Customer Portal
- Fixed bug that could cause some reports to show stale data instead of the most up-to-date version.
- Include the certificates Red Hat uses to sign EFI binaries for Secure Boot on our public OpenPGP key page.
RHSA announcements
- Fixed bug that could cause emails to be sent twice for the same advisory.
- Fix incorrect revision number in announcement emails.
Jan 11, 2022
OVAL
- The
cve
elements in theadvisory
node now use product-specific security impacts even for non-RHSA errata (normally used when impact on product is lower than general impact of the vulnerability itself).
RHSA announcements
- Fixed serialization of values in the
Keywords
(also displayed asTags
in some mail clients) header to a comma-separated list.
Nov 8, 2021
CVE
- CVE pages and the Security Data API now include data on all fixed components in a given product. Components that are not listed on a CVE page for a given advisory can be assumed to not be affected.
OVAL
- A new OVAL feed for RHEL 6 Extended Life Cycle Support (ELS) was added: /oval/v2/RHEL6/rhel-6-els.oval.xml.bz2.
- The
oval/Red_Hat_Enterprise_Linux_[45678].xml
andcom.redhat.rhsa-RHEL[45678].xml
files as well as theoval/com.redhat.rhsa-all.xml
file now redirect to their bz2-compressed versions and are no longer served in their uncompressed form. - Fixed empty
/oval/rhsa.tar.bz2
being published.
Oct 13, 2021
OVAL
vulnerability
definitions inside*-including-unpatched-*
OVAL files now include a list of resolutions for each affected component for all unfixed CVEs. The resolutions match those listed on the CVE page and are one of: Affected, Under investigation, Will not fix, Out of support scope, and Fix deferred. CVEs that do not affect a particular product and component continue to be listed invulnerability
definitions within thecom.redhat.unaffected
namespace.- OVAL v2 files are now served with a correct content type:
application/x-bzip2
instead ofapplication/x-tar
.
Aug 26, 2021
Security Data files are now available from the access.redhat.com domain (e.g. /oval/v2/RHEL8). Index pages are no longer rendered using Apache HTTPD but are generated for each directory using fancy-index as inspiration.
CVRF
- Advisories use container image names (e.g.
openshift4/network-tools-rhel8:v4.7.0-202105071917.p0
) instead of build NVR (e.g.ose-network-tools-container-v4.7.0-202105071917.p0
) in<FullProductName>
elements that specify components.
Metrics
- The https://www.redhat.com/security/data/metrics/ page was moved to https://access.redhat.com/security/data/. Sample days-of-risk reports are now available on separate HTML pages only.
April 26, 2021
OVAL
- The
cve
elements in theadvisory
node now use product-specific security impact when available (normally used when impact on product is lower than general impact of the vulnerability itself).
April 20, 2021
OVAL
- Include
affected_cpe_list
element invulnerability
definitions inside*-including-unpatched-*
OVAL files. - Add a check for Red Hat CoreOS 4 to all RHEL-8 OVAL files. This enables use of RHEL 8 OVAL files to test Red Hat CoreOS installations.
February 2, 2021
OVAL
- Include
cve
elements inmetadata
forvulnerability
definitions inside*-including-unpatched-*
OVAL files. - Include
updated
element inmetadata
forvulnerability
definitions inside*-including-unpatched-*
OVAL files. - Correct
severity
andtitle
for eachadvisory
element to use correct security impact on per-product basis in*-including-unpatched-*
OVAL files. This impact should match respective product CVE impact shown on CVE pages. - Provide corrected list of
cpe
elements inaffected_cpe_list
for each advisory in fixed OVAL files. This is mostly important for extended update support releases which combine content from earlier releases and used to have incorrect list of CPEs included.
January 19, 2021
OVAL
- The
<bugzilla>
elements in the<advisory>
node now include only Bugzilla bug IDs related to CVEs addressed in the related advisory. - The
cve
elements in theadvisory
node now specify a full CWE chain instead of individual whitespace-separated CWE IDs. *-debuginfo-*
packages are now excluded from*-including-unpatched-*
OVAL files (they are already excluded from all other OVAL files).- Kernel live patching kpatch advisories are included in OVAL files. Some caveats for OVAL scanning and kpatch are documented in Customer Portal.
December 9, 2020
This is an initial changelog summarizing changes for the past year.
OVAL
- OVAL tests for
kernel-rt
packages are corrected for some corner cases. - Additional unfixed OVAL streams for several products are now available.
- In select cases, more granular information is available for impacted binary packages (usually excluding packages such as kernel-headers from OVAL tests).
CVRF
- CVRF documents are now available for advisories released before 2010.
- CPE identifiers are now present in
<FullProductName>
nodes. - Container images are now partially supported in CVRF documents.
Other
- Addition of repository-to-cpe.json file which can be used to help identify OVAL streams to use for scanning.
- Order cpe-dictionary.xml alphabetically.
- CVE pages with incorrect impact caused by impact changing to none after initial investigation are now fixed.
- Core OS packages are now listed in affected packages on CVE pages.