Outdated packages with security issues

Latest response

Just scanned an up-to-date RHEL7.6 and with Nessus and got the following issues:

Severity: HIGH
RHEL 7 : glusterfs (RHSA-2018:3432)
Severity: MEDIUM

RHEL 7 : Red Hat Ceph Storage 2.5 (RHSA-2018:2261)

RHEL 7 : Storage Server (RHSA-2018:2613)

Remote package installed : glusterfs-3.12.2-18.el7
Should be : glusterfs-3.12.2-25.el7

Remote package installed : glusterfs-client-xlators-3.12.2-18.el7
Should be : glusterfs-client-xlators-3.12.2-25.el7

Remote package installed : glusterfs-fuse-3.12.2-18.el7
Should be : glusterfs-fuse-3.12.2-25.el7

Remote package installed : glusterfs-libs-3.12.2-18.el7
Should be : glusterfs-libs-3.12.2-25.el7

Remote package installed : librados2-10.2.5-4.el7
Should be : librados2-10.2.10-28.el7cp

Remote package installed : libtdb-1.3.15-1.el7
Should be : libtdb-1.3.15-4.el7

So RedHat knows about these issues, recommends the install of newer versions that seem to be available somewhere, but they are missing from the RHEL7 repositories.

Why does RedHat not take care of these issues ? How can we solve this. We need to update a customer system and prove that there are no known Vulnerabilities with severity "HIGH" or "MEDIUM"

Responses

I have the same issue

same for me, need libtdb-1.3.15-4.el7 or higher. not finding it and yes the RHSA-2018:2613 doesn't allow you to download anymore

I have the same issue. Also not finding RHSA-2018:2613. Anyone find where this elusive patch is hiding?

I have submitted a support case for this issue, hopefully they will finally fix it.

Ronald, Any status on the support case you submitted for this issue?

So far all I'm getting is that these RPMs are provided in premium products and if you don't pay for them you don't have access to download them. From my previous experience, what will most likely happen is that they will release these RPMs when they finally realize that they provide them on in standard OS. It, unfortunately, will take them a while to figure it out. They have provided me with a download link for the old RPMs. Will update when I hear something else.

I think this is an incorrect report for libtdb-1.3.15-1.el7 at least. I had a look at the CVEs referenced in RHSA-2018:2613 - CVE-2018-1050 affecting the printing bit of samba, CVE-2018-1139 affects samba authentication, and CVE-2018-10858 affects libsmbclient. Red Hat has fixed these in the RHEL7 samba package, but libtdb is a separate package in RHEL7 and I can't see how that would be affected by these vulnerabilities (it is a simple database library used by samba and some other software) so I doubt there is any reason to update it whatever Nessus claims which will be why there isn't an update available in mainstream RHEL7.

This package version (glusterfs-3.12.2-25.el7) is provided by Red Hat Gluster Storage Native Client (rh-gluster-3-client-for-rhel-7-server-rpms) repository.

Refer: https://access.redhat.com/downloads/content/glusterfs/3.12.2-25.el7/x86_64/fd431d51/package

To enable and sync the Red Hat Gluster Storage Native Client (rh-gluster-3-client-for-rhel-7-server-rpms) repository, please follow: https://access.redhat.com/solutions/3412301

Thanks Hradayesh. Is there also a means to get the libtdb-1.3.15-4.el7 rpm? I and a lot of other are getting hit by nessus for being at only rev. libtdb-1.3.15-1.el7.

I'll second that request for the libtdb-1.3.15-4.el7.rpm patch. Any chance that it'll be made available soon?

Just to help folks understand what we are running in too, though it is not going to do much about the NESSUS scan. Nessus onl checks for a possible compromised rpm by version number, so any time it see glusterfs package with 3.12.2-25.el7 it will flag it even if it is not the vulnerable component. In addition Nessus does not have an awareness fo RHEL channels, so just assumes everything has everything.

RH only updates the vulnerable package and anything in the vulnerable packages direct channel. So when there is an issue a SERVER package, but not a client package, RHEL updates the the channel with the server (RHEL Storage) but does not update client only channels (RHEL 7 Server). It is a pain, but you can document it to get ISSO's over your back till the patches trickle down to the base release.