Outdated packages with security issues

Latest response

Just scanned an up-to-date RHEL7.6 and with Nessus and got the following issues:

Severity: HIGH
RHEL 7 : glusterfs (RHSA-2018:3432)
Severity: MEDIUM

RHEL 7 : Red Hat Ceph Storage 2.5 (RHSA-2018:2261)

RHEL 7 : Storage Server (RHSA-2018:2613)

Remote package installed : glusterfs-3.12.2-18.el7
Should be : glusterfs-3.12.2-25.el7

Remote package installed : glusterfs-client-xlators-3.12.2-18.el7
Should be : glusterfs-client-xlators-3.12.2-25.el7

Remote package installed : glusterfs-fuse-3.12.2-18.el7
Should be : glusterfs-fuse-3.12.2-25.el7

Remote package installed : glusterfs-libs-3.12.2-18.el7
Should be : glusterfs-libs-3.12.2-25.el7

Remote package installed : librados2-10.2.5-4.el7
Should be : librados2-10.2.10-28.el7cp

Remote package installed : libtdb-1.3.15-1.el7
Should be : libtdb-1.3.15-4.el7

So RedHat knows about these issues, recommends the install of newer versions that seem to be available somewhere, but they are missing from the RHEL7 repositories.

Why does RedHat not take care of these issues ? How can we solve this. We need to update a customer system and prove that there are no known Vulnerabilities with severity "HIGH" or "MEDIUM"


I have the same issue

same for me, need libtdb-1.3.15-4.el7 or higher. not finding it and yes the RHSA-2018:2613 doesn't allow you to download anymore

I have the same issue. Also not finding RHSA-2018:2613. Anyone find where this elusive patch is hiding?

I have submitted a support case for this issue, hopefully they will finally fix it.

Ronald, Any status on the support case you submitted for this issue?

So far all I'm getting is that these RPMs are provided in premium products and if you don't pay for them you don't have access to download them. From my previous experience, what will most likely happen is that they will release these RPMs when they finally realize that they provide them on in standard OS. It, unfortunately, will take them a while to figure it out. They have provided me with a download link for the old RPMs. Will update when I hear something else.

I think this is an incorrect report for libtdb-1.3.15-1.el7 at least. I had a look at the CVEs referenced in RHSA-2018:2613 - CVE-2018-1050 affecting the printing bit of samba, CVE-2018-1139 affects samba authentication, and CVE-2018-10858 affects libsmbclient. Red Hat has fixed these in the RHEL7 samba package, but libtdb is a separate package in RHEL7 and I can't see how that would be affected by these vulnerabilities (it is a simple database library used by samba and some other software) so I doubt there is any reason to update it whatever Nessus claims which will be why there isn't an update available in mainstream RHEL7.

This package version (glusterfs-3.12.2-25.el7) is provided by Red Hat Gluster Storage Native Client (rh-gluster-3-client-for-rhel-7-server-rpms) repository.

Refer: https://access.redhat.com/downloads/content/glusterfs/3.12.2-25.el7/x86_64/fd431d51/package

To enable and sync the Red Hat Gluster Storage Native Client (rh-gluster-3-client-for-rhel-7-server-rpms) repository, please follow: https://access.redhat.com/solutions/3412301

Thanks Hradayesh. Is there also a means to get the libtdb-1.3.15-4.el7 rpm? I and a lot of other are getting hit by nessus for being at only rev. libtdb-1.3.15-1.el7.

Hello Samuel,

I have found the below link[1] for the libtdb RPM. This is provided by a repository "Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64".

This repository is provided by the product "Red Hat Gluster Storage Server for On-premise". So we will need a subscription which provides this product.

Hope this helps.

[1] https://access.redhat.com/downloads/content/libtdb/1.3.15-4.el7rhgs/x86_64/fd431d51/package

I'll second that request for the libtdb-1.3.15-4.el7.rpm patch. Any chance that it'll be made available soon?

Just to help folks understand what we are running in too, though it is not going to do much about the NESSUS scan. Nessus onl checks for a possible compromised rpm by version number, so any time it see glusterfs package with 3.12.2-25.el7 it will flag it even if it is not the vulnerable component. In addition Nessus does not have an awareness fo RHEL channels, so just assumes everything has everything.

RH only updates the vulnerable package and anything in the vulnerable packages direct channel. So when there is an issue a SERVER package, but not a client package, RHEL updates the the channel with the server (RHEL Storage) but does not update client only channels (RHEL 7 Server). It is a pain, but you can document it to get ISSO's over your back till the patches trickle down to the base release.

Was just hit with out of date libtdb-1.3.15-1.el7.x86_64 on one of our servers. Does anyone have an update on this?

Hello Edward,

This particular version libtdb-1.3.15-1.el7.x86_64 RPM is provided by "Red Hat Enterprise Linux Server 7 x86_64 (rhel-7-server-rpms)" repository.

Are you using any specific minor version of RHEL 7? (Ex: RHEL 7.5). If issue persists, please open a support case and I can have a look at it.

Server is connected to the main RHEL 7 channel on our Red Hat Satellite server, it is not on one of the EUS channels. ACAS scan says that we should be at libtdb-1.3.15-4.el7.x86_64.

From the scaner output: "Plugin Output: Remote package installed : libtdb-1.3.15-1.el7 Should be : libtdb-1.3.15-4.el7

NOTE: The vulnerability information above was derived by checking the package versions of the affected packages from this advisory. This scan is unable to rely on Red Hat's own security checks, which consider channels and products in their vulnerability determinations."

Actually it is Nessus you should be raising a support case with. libtdb-1.3.15-1.el7 is no different from libtdb-1.3.15-4.el7 from a security point of view, and Nessus is just confused because libtdb-1.3.15-4.el7 was released as part of a group of package updates to Red Hat Gluster Storage Server which did have security fixes in other packages.