Red Hat Security Data Changelog

Updated -

This page provides a changelog for Red Hat security data. This mostly covers files present and linked from the Red Hat Security Data page as well as content displayed on CVE pages.

May 6, 2025

VEX

  • In the future, VEX files might be generated with vulnerability labels other than the current
    vulnerable_code_not_present, such as the label options defined by the CSAF schema like component_not_present,
    inline_mitigations_already_exist, vulnerable_code_cannot_be_controlled_by_adversary,
    vulnerable_code_not_in_execute_path.

March 4, 2025

CVE and VEX

  • Fix missing CSAF files and invalid hash and signature files for a few CSAF advisories.

OVAL

  • Fix CPEs in affected_cpe_list of OVAL files openshift-4-including-unpatched.oval.xml non-deterministically changing on each OVAL file update between affected versions instead of consistently staying set to latest affected version.

February 12, 2025

CSAF and VEX

  • Fix an incorrect mapping of CVEs to fixed components, in certain advisories and all the metadata generated from them.

February 3, 2025

Third-party CVEs

  • Red Hat Product Security has begun publishing CVE pages and VEX files for all CVEs.
  • Previously, we only published data for CVEs that related to our products in some way.
  • The new data we began publishing only includes the CVE's description, list of references, and a statement explaining that Red Hat products are not affected.

  • This change was made to reduce confusion about whether Red Hat products are affected or not.

  • For example, we began publishing data for CVEs like CVE-2024-55918, which only affect upstream projects like Fedora.

  • All Red Hat products do not ship any affected version of perl, so we did not previously publish any data for this CVE.

  • We also began publishing data for CVEs like CVE-2024-44204, which only affect a third-party vendor's products like Apple iOS.

  • This data is being sourced from the CVE program's official list of all published CVE records.

  • Due to extremely high data volume, we expect it to take several weeks to fully publish all this "not affected" CVE data.
  • In most cases, we expect that this data will be published once and never change in the future, or only change rarely.

CSAF

  • Fix a failure to generate certain CSAF files, due to various data quality issues.

  • When an advisory publishes a new CSAF file, report the advisory's original release date (which will never change) in a new "releases.csv" file.

  • The entries in this "releases.csv" file follow the same format as the "changes.csv" and "deletions.csv" files.
  • The entries in this "releases.csv" file will be removed whenever their corresponding CSAF file is removed.
  • Please continue to check the "deletions.csv" file to see which CSAF files have been removed.

CVE and VEX

  • Fix a failure to generate a small number of VEX files for very old CVEs.

  • Fix incorrect PackageURL identifiers for RPMMOD (modular) components that are affected and not yet fixed.

  • When bulk-refreshing many CVE pages or VEX files, updates are now prioritized based on the CVE's impact, declared major incident status, and availability of exploits.

  • We expect this change will make data available more quickly, and improve accuracy for newly-discovered CVEs which are changing rapidly.
  • This change will also help ensure CVE pages and VEX files are updated together, instead of one update possibly being delayed by several hours.

OVAL

  • Fix incorrect OVAL data when kernel packages (like kernel and kernel-rt) were fixed in RHEL 8 and later.
  • Fix missing OVAL data for advisories with more than 4 digits in their IDs, such as RHSA-2024:10289.

January 10, 2025

CSAF and VEX

  • Refresh all VEX files after the bugfixes from December 4th (below).

January 2, 2025

Metadata

  • Temporarily add entries for architecture-independent RHEL 8, RHEL 9, UBI 8, and UBI 9 repositories to the repository-to-cpe.json mapping file.
  • These legacy entries are being provided on a temporary basis to resolve issues, and are planned to be removed in the future.

December 20, 2024

Metadata

  • Add entries for UBI 8 and 9 repositories to the repository-to-cpe.json mapping file.
  • These entries are being provided on a "best-effort" basis to resolve issues, and some entries may still be missing.
  • More fixes and enhancements to this data are planned for after the holidays.

December 4, 2024

CSAF and VEX

  • Always report CVSS scores in VEX files, even when all the Red Hat products listed are not affected and the score does not apply, to simplify parsing.
  • Fix incorrect PackageURLs being reported for a small number of unfixed container images.
  • Fix stale entries being left behind in the changes.csv file, after the CSAF or VEX file for that entry had already been deleted.
  • These entries will now appear in the deletions.csv file instead, so users can track which files have been removed.

CVE

  • Fix a few recent middleware advisories not appearing on CVE pages and in other security data, whenever an internal mapping was only partially complete.

OVAL

  • Fix missing OVAL data when multiple kernel packages (like kernel and kernel-rt) were fixed in a single advisory.

November 13, 2024

CSAF and VEX

  • Generate CSAF files (and update VEX files with advisory details) more quickly after an advisory ships.
  • Advisory details will also appear on CVE pages more quickly.
  • Internally, we now listen for a "newly-shipped advisory" notification, which is sent immediately.
  • We no longer need to poll an internal API periodically to find "recently-shipped advisories", which avoids some delays.

October 31, 2024

CSAF and VEX

  • Switch the document.category profile from csaf_vex to csaf_security_advisory for all CSAF files published under https://security.access.redhat.com/data/csaf/v2/advisories/.
  • VEX files published under https://security.access.redhat.com/data/csaf/v2/vex/ will remain unchanged and continue to report csaf_vex as their document.category profile.

  • This change ensures that the purpose and data included within each different set of files is more clear.

  • Report the Red Hat Security Bulletin (RHSB) URL, if one exists, in each vulnerability's list of references.

  • Fix bugs in code, and bad data in source systems, that caused some advisories to not generate CSAF files.

October 23, 2024

CSAF and VEX

  • When an advisory that fixes a CVE is available, report its release date in the "remediations" section of CSAF and VEX files.

CVE

  • Fix incorrect product names on a very small number of CVE pages.

Metadata

  • Use our new location for security data, https://security.access.redhat.com/data, when reporting "canonical URLs" in the provider-metadata.json and security.txt files.

October 2, 2024

CSAF and VEX

  • Use our new location for security data, https://security.access.redhat.com/data, when reporting "canonical URLs" in CSAF and VEX documents.

Metadata

  • Report the new location for our security data in the provider-metadata.json file, the security.txt file, and all other metadata files.

September 30, 2024

All security data

  • All of Red Hat's security data is now available in a new location, for example:
  • https://security.access.redhat.com/data/csaf/ for both CSAF and VEX documents

  • https://security.access.redhat.com/data/oval/ for OVAL data

  • There were two previous locations for these files, for example:

  • CSAF and VEX documents:
  • https://access.redhat.com/security/data/csaf/
  • https://www.redhat.com/security/data/csaf/
  • OVAL data:
  • https://access.redhat.com/security/data/oval/

  • https://www.redhat.com/security/data/oval/

  • Clients should begin using the new location where possible.

  • On September 3rd, the old location on www.redhat.com began redirecting to the new location.
  • On September 30th, the old location on access.redhat.com began redirecting to the new location.

September 24, 2024

Customer Portal

Metadata

September 12, 2024

CVE

  • Add a new FAQ entry to all CVE pages explaining what "Fix deferred" means.
  • Update the existing FAQ entry on all CVE pages to clarify what "Will not fix" means.

September 11, 2024

CSAF and VEX

  • Fix several data quality issues in a source system, which caused CSAF files to not be generated for a small number of advisories.
  • VEX files (for the CVEs present on each advisory) were also missing that advisory's data. These bugs are now fixed.

OVAL

  • Fix a bug that caused the OVAL stream file for rhel-7-els to be missing.

August 27, 2024

CSAF and VEX

  • Fix bugs that could cause files to be updated when the data had not changed.
  • Fix a bug that could cause the same file to be updated many times when the data only changed once.
  • Remove files under the /csaf/beta/vex/ path, which stopped being updated when the VEX beta ended.
  • Please consume the same files from the /csaf/v2/vex/ path, which are the GA versions.

SBOM

  • Remove any stale SBOM files which cannot be updated.

August 19, 2024

CSAF and VEX

  • CVE page entries that say "Fix deferred" now report "none_available" (yet) in VEX files, to indicate a fix may happen eventually.
  • CVE page entries that say "Will not fix" have not changed, and continue to report "no_fix_planned" in VEX files.
  • For more information, see the FAQ entry on every CVE page titled: What can I do if my product is listed as "Will not fix"?

August 13, 2024

CSAF and VEX

  • Fix bugs that could cause stale CVE-related information to be displayed in the "vulnerabilities" key in CSAF files only.
  • Fix bugs that could cause stale product-related information to be displayed in the "product_tree" key in both CSAF and VEX files.
  • Remove CSAF and VEX files which no longer have enough data to publish, after the stale data above was removed.

CVE

  • Show a "Known Exploit" icon on any CVE page when the CVE is listed in CISA's "Known Exploited Vulnerabilities" catalog.

July 29, 2024

CSAF and VEX

  • Fix bugs that could cause stale exploit / threats information to be displayed in CSAF and VEX files.

  • Add new data about modular RPM components to CSAF and VEX files.

    • The modular RPM IDs are formatted like name:stream:version:context.
    • The modules are linked to each product that ships them.
    • For example, the modules report "module_nsvc as a component of product" in the relationships section.

  • Update existing data for source and binary RPMs which are included as part of a module.

    • RPMs shipped inside some module now report the module's product ID as part of their own product ID.
    • For example, product:name:stream:version:context:rpm_nevra instead of product:rpm_nevra.
    • These RPMs are now related to the module which ships them.
    • For example, these RPMs now report "rpm_nevra as a component of module_nsvc" in the relationships section.
    • The RPMs are no longer related directly to the products which ship their parent module.
    • For example, these RPMs no longer report "rpm_nevra as a component of product" in the relationships section.
    • The same RPM-to-product relationship information is still available indirectly.
    • Combine the RPM-to-module relationships with the module-to-product relationships to find which products ship these RPMs.

  • RPMs which do not belong to any module have not changed and still report the same data.

July 10, 2024

VEX

June 17, 2024

Customer Portal

  • Update the "beta key 2" PGP key on our public OpenPGP key page.
    • This key now uses a SHA-256 signature and GPG version 2.0.22 instead of a SHA-1 signature and GPG version 1.2.6.
    • Only the signature has changed, the key itself has not been rotated and was not compromised.
    • If you already have an older copy of this key, you can continue using it to validate signatures.
    • The newer copy is the updated / more secure version of the same public key.

June 11, 2024

CSAF and VEX

  • Fix missing CSAF files for a few very old middleware advisories.

  • Track deleted CSAF / VEX files in a separate deletions.csv file, using the same structure as the changes.csv file.

    • As noted below, files are only deleted when source data changes or becomes invalid.
    • We delete the CSAF / VEX files because they are now stale and can no longer be updated.
    • Users may wish to implement a check for deleted files, using the new deletions.csv behavior.
    • Or users may continue to compare all files they have loaded with the current set of all files we have published.
    • Either way, users should remove any file from their systems after we have deleted / unpublished it.

  • Report PackageURLs for affected (but not yet fixed) RPM, RPM module, and container image components in VEX files.

    • These purls will appear underneath the "product_identification_helper" key.
    • These purls only include the affected component's name, because the fixed version is not yet known.
    • A more accurate purl, including the version number, will become available once the component is fixed.

  • Refresh all CSAF and VEX files after the bugfixes above.

May 29, 2024

CSAF and VEX

  • Add "type" and "classifier" qualifiers to the end of Maven component purl identifiers, if known.
  • Fix incorrect product IDs sometimes appearing in the "relationships" section for very old middleware CVEs / advisories.
  • Support including Red Hat CoreOS data in CSAF and VEX files, if available.

CVE

  • Fix a data quality issue where some CVE pages displayed "null" under their "Mitigation" section when no mitigation was available.

April 30, 2024

CSAF and VEX

  • Always nest product_name branches inside a product_family branch for consistent parsing.
  • Fix duplicated product_family, product_name, and architecture branches.
  • Refresh all CSAF and VEX files after the bugfixes above.

Metadata

  • Resign the security.txt file only once per release / change, instead of once per day, so clients can cache it.

April 18, 2024

CSAF and VEX

  • Add logic to delete old VEX files when the source data changes and files can no longer be updated.

  • Improve logic to delete old CSAF files when the source data changes and files can no longer be updated.

  • Clean up duplicate copies of the same CSAF and VEX files, as well as stale files which should not have been published.

  • Fix a bug where timestamps in the changes.csv file did not match the time the CSAF or VEX file was actually updated.

  • Refresh all CSAF and VEX files after the bugfixes above.

    • changes.csv contents will change frequently, and many entries will be missing, until the data refresh is complete.
    • index.txt contents may change frequently until the data refresh is complete.
    • Some entries in both files may permanently disappear. These removed entries are for stale files which should not have been published.

  • Publish the hash (checksum) and signature of the weekly CSAF and VEX archive files.

    • Files outside the archive will be updated more often than files inside the archive.
    • Therefore, files outside the archive are expected to have different hashes / signatures than files inside the archive.
    • Please validate the hash and signature of the whole archive at once, not the files inside of it individually.

Customer Portal

  • Update certain PGP keys (not certificates) on our public OpenPGP key page.
    • Keys now use SHA-256 signatures and GPG version 2.0.22 instead of SHA-1 signatures and older GPG versions.
    • Only the signatures have changed, the keys themselves have not been rotated and were not compromised.
    • If you already have an older copy of a key, you can continue using it to validate signatures.
    • The newer copy is the updated / more secure version of the same public key.

CVE

  • Fix several other bugs where we did not correctly update CVE pages (and security data files) when the source data changed.

March 21, 2024

Customer Portal

CVE

  • Fixed an issue where CVEs without a Red Hat description would report generic text instead of MITRE's description.

March 19, 2024

CVE

  • Fixed CVE pages sometimes displaying an impact of "_none" when the issue was not a security vulnerability.

Metadata

  • Updated the security.txt file's expiration date.

March 4, 2024

CSAF

  • Added logic to delete old CSAF files when the source data changes and files can no longer be updated.

January 22, 2024

CSAF

  • Fixed a bug that caused the CSAF and VEX archive files to be empty.

CVE

  • Fixed a bug when parsing a new NVR format for RPM modules built in RHEL 9, which created incorrect affectedness data on some CVE pages.
  • Added a new FAQ entry to all CVE pages for "What is a mitigation?"
  • Reworded an old FAQ entry to mention the Red Hat Vulnerability Scanner Certification program instead of specific tools and data formats.

December 19, 2023

CSAF

December 4, 2023

CSAF

  • Two new archive files that contain the complete set of files for CSAF advisories and CSAF VEX files are now available:

    Both files are archived using tar and compressed using zstd. These files are refreshed once a week; the file name will contain the date when the file was created. Updates made to files on or after the date the archive file was created should be fetched from individual files based on the data in the changes.csv file.

RHSA RSS Feed

  • Fixed missing <link> value in all RSS feed entries.

November 8, 2023

Metadata

  • Various metadata files have been retired and/or moved to alternative locations. Please review the list of changes in the "Changes to custom metrics data files" section of The future of Red Hat security data blog post.

October 12, 2023

VEX

CSAF Advisories

  • Vulnerability objects in all CSAF advisory files now include information about active exploits, purl identifiers for each component, information about vulnerability mitigations if any exist, and information about an OS reboot being required after applying the changes of a given advisory.

CVRF

RHSA Announcements

July 10, 2023

OVAL

  • The OVAL file for OpenShift 4.13 on RHEL 9 was incorrectly listing issues fixed on OpenShift versions released on RHEL 7 and 8 as not fixed.
  • OVAL v1 content has been moved to an archive as noted in the OVAL and DS v1 deprecation announcement.

May 18, 2023

SBOM

Metadata

April 28, 2023

SBOM

April 5, 2023

OVAL

CVE

  • External References of each CVE page now include links to the same CVE in the CVE List and NIST NVD.

March 7, 2023

CSAF/VEX

  • Per-year folders now correctly use the year that the advisory was issues, not the year that is a part of its ID.
  • The changes.csv file now uses correctly quoted parts and an ISO 8601 format date time.
  • The description of the Issuing Authority has been updated.
  • The canonical URL in each advisory was corrected.
  • Unfixed/unaffected components are no longer listed in the vendor_fix remediation listed for each vulnerability.

Data Files

  • The cvemap.xml file is now available in compressed form: cvemap.xml.bz2. It is recommended to migrate your scripts to use this file; the uncompressed version may be removed in the nearby future.

February 1, 2023

CSAF/VEX

December 7, 2022

OVAL

  • The repository-to-cpe.json file now includes a new attribute (repo_relative_urls) for each CDN repository that contains a list of relative URLs pointing to that CDN repo. These URLs can be used instead of the CDN repo names to uniquely identify a repo and map it to a CPE.
  • CPEs for products that have not yet been released are no longer included in the repository-to-cpe.json file; similarly OVAL stream files for such products are not generated either (SECDATA-14).
  • Removed the following CPE lists for retired products that were available under /security/data/metrics/: cpelist-critical-browsers.txt, cpelist-critical-helix.txt, cpelist-critical-moz.txt, cpelist-rhel4.8as-default-install.txt, cpelist-rhel4as-default-install.txt, cpelist-rhel4ws-default-install.txt, cpelist-rhel4ws-full-install.txt, cpelist-rhel5.6eus.txt, cpelist-rhel5server-default-install.txt, cpelist-rhel5server-u6-default-install.txt, cpelist-sjis.txt.

October 24, 2022

OVAL

  • Fixed refresh logic for OVAL definitions that could for some CVEs ignore new changes and appear to conflict with other existing OVAL definitions (SECDATA-176).

October 3, 2022

OVAL

  • Fixed incorrectly excluded jenkins and jenkins-2-plugins components from being included in OpenShift 4.x on RHEL 8 OVAL files (SECDATA-27).

August, 29, 2022

OVAL

  • Fixed incorrect OpenShift version in the CPE used in the openshift-4-including-unpatched OVAL files for RHEL7 and 8 (SECDATA-26).

July 26, 2022

CSAF

  • Rename the CSAF provider metadata file's pgp_keys item to public_openpgp_keys, per the latest CSAF specification.

RHSA Announcements

  • Fix a bug that caused errata announcements to almost never be sent to the rhsa-announce mailing list.

July 6, 2022

Customer Portal

CVE

  • Update links in CVE page FAQ content.

RHSA Announcements

  • Fix a bug that could cause some errata announcements to be sent to the rhsa-announce mailing list twice.

June 17, 2022

CVE

  • Fix a bug where CVE pages may not show the CVE's summary in some cases.

June 9, 2022

OVAL

May 17, 2022

CSAF

  • CSAF files are now available in beta form, as a successor to CVRF files. More details will be shared in an upcoming blog post.

Customer Portal

  • Fixed a caching bug that could cause multiple requests to show different data, even though content had not changed.
  • Include the certificates Red Hat uses to sign Ansible content on our public OpenPGP key page.
  • Links in index directories now have a trailing slash appended automatically.

CVE

  • Fixed a matching bug that could report a truncated CPE as affected instead of the full CPE, when only the CPE prefix matched.

Metrics

  • IAVA IDs are no longer included in the CVE map file since this data is no longer available.

OVAL

  • Modular RPM OVAL files now always report criteria inside an OR criteria object, to simplify OVAL parsing.
  • RHEL 7 OVAL files now allow multiple affects entries for a single product version.

Mar 7, 2022

OVAL

  • The oval/v2/RHEL8/openstack-16.oval.xml.bz2 file was split into multiple files, one for each minor OpenStack 16 release.
  • Unfixed OVAL files now include the same CVE descriptions as are displayed on the CVE pages.

Metrics

  • Added a container-name-to-repos-map.json file which can be used to map a container name label to its external repository name. If a name label is not present in this file, it is assumed the name label matches the external repository name in the CVE data.

Feb 8, 2022

Customer Portal

  • Fixed bug that could cause some reports to show stale data instead of the most up-to-date version.
  • Include the certificates Red Hat uses to sign EFI binaries for Secure Boot on our public OpenPGP key page.

RHSA announcements

  • Fixed bug that could cause emails to be sent twice for the same advisory.
  • Fix incorrect revision number in announcement emails.

Jan 11, 2022

OVAL

  • The cve elements in the advisory node now use product-specific security impacts even for non-RHSA errata (normally used when impact on product is lower than general impact of the vulnerability itself).

RHSA announcements

  • Fixed serialization of values in the Keywords (also displayed as Tags in some mail clients) header to a comma-separated list.

Nov 8, 2021

CVE

  • CVE pages and the Security Data API now include data on all fixed components in a given product. Components that are not listed on a CVE page for a given advisory can be assumed to not be affected.

OVAL

  • A new OVAL feed for RHEL 6 Extended Life Cycle Support (ELS) was added: /oval/v2/RHEL6/rhel-6-els.oval.xml.bz2.
  • The oval/Red_Hat_Enterprise_Linux_[45678].xml and com.redhat.rhsa-RHEL[45678].xml files as well as the oval/com.redhat.rhsa-all.xml file now redirect to their bz2-compressed versions and are no longer served in their uncompressed form.
  • Fixed empty /oval/rhsa.tar.bz2 being published.

Oct 13, 2021

OVAL

  • vulnerability definitions inside *-including-unpatched-* OVAL files now include a list of resolutions for each affected component for all unfixed CVEs. The resolutions match those listed on the CVE page and are one of: Affected, Under investigation, Will not fix, Out of support scope, and Fix deferred. CVEs that do not affect a particular product and component continue to be listed in vulnerability definitions within the com.redhat.unaffected namespace.
  • OVAL v2 files are now served with a correct content type: application/x-bzip2 instead of application/x-tar.

Aug 26, 2021

Security Data files are now available from the access.redhat.com domain (e.g. /oval/v2/RHEL8). Index pages are no longer rendered using Apache HTTPD but are generated for each directory using fancy-index as inspiration.

CVRF

  • Advisories use container image names (e.g. openshift4/network-tools-rhel8:v4.7.0-202105071917.p0) instead of build NVR (e.g. ose-network-tools-container-v4.7.0-202105071917.p0) in <FullProductName> elements that specify components.

Metrics

April 26, 2021

OVAL

  • The cve elements in the advisory node now use product-specific security impact when available (normally used when impact on product is lower than general impact of the vulnerability itself).

April 20, 2021

OVAL

  • Include affected_cpe_list element in vulnerability definitions inside *-including-unpatched-* OVAL files.
  • Add a check for Red Hat CoreOS 4 to all RHEL-8 OVAL files. This enables use of RHEL 8 OVAL files to test Red Hat CoreOS installations.

February 2, 2021

OVAL

  • Include cve elements in metadata for vulnerability definitions inside *-including-unpatched-* OVAL files.
  • Include updated element in metadata for vulnerability definitions inside *-including-unpatched-* OVAL files.
  • Correct severity and title for each advisory element to use correct security impact on per-product basis in *-including-unpatched-* OVAL files. This impact should match respective product CVE impact shown on CVE pages.
  • Provide corrected list of cpe elements in affected_cpe_list for each advisory in fixed OVAL files. This is mostly important for extended update support releases which combine content from earlier releases and used to have incorrect list of CPEs included.

January 19, 2021

OVAL

  • The <bugzilla> elements in the <advisory> node now include only Bugzilla bug IDs related to CVEs addressed in the related advisory.
  • The cve elements in the advisory node now specify a full CWE chain instead of individual whitespace-separated CWE IDs.
  • *-debuginfo-* packages are now excluded from *-including-unpatched-* OVAL files (they are already excluded from all other OVAL files).
  • Kernel live patching kpatch advisories are included in OVAL files. Some caveats for OVAL scanning and kpatch are documented in Customer Portal.

December 9, 2020

This is an initial changelog summarizing changes for the past year.

OVAL

  • OVAL tests for kernel-rt packages are corrected for some corner cases.
  • Additional unfixed OVAL streams for several products are now available.
  • In select cases, more granular information is available for impacted binary packages (usually excluding packages such as kernel-headers from OVAL tests).

CVRF

  • CVRF documents are now available for advisories released before 2010.
  • CPE identifiers are now present in <FullProductName> nodes.
  • Container images are now partially supported in CVRF documents.

Other

  • Addition of repository-to-cpe.json file which can be used to help identify OVAL streams to use for scanning.
  • Order cpe-dictionary.xml alphabetically.
  • CVE pages with incorrect impact caused by impact changing to none after initial investigation are now fixed.
  • Core OS packages are now listed in affected packages on CVE pages.

Comments