CVE-2021-4115 and polkit package

[adrian27]

Hello,

Just wanted to kindly add a reminder that as of today, there is no CVE-2021-4115 fix for CentOS Stream 8, even if this has been fixed in RHEL 8 and other clones like Rocky Linux and AlmaLinux for some time now.

As you can see from this link https://access.redhat.com/errata/RHSA-2022:1546, the CVE-2021-4115 has been fixed in polkit-0.115-13.el8_5.2. However for CentOS Stream 8, the latest polkit package is polkit-0.115-13.el8_5.1 (5.1 instead of 5.2), as can be seen from the list of packages here http://mirror.centos.org/centos/8-strea ... /Packages/.

Any clue how long is Red Hat planning to keep the CentOS Stream 'behind' the RHEL 8? My understanding is that CentOS Stream should be ahead of RHEL 8, but is not according to this. Or am I looking in the wrong places to the correct packages?

Thanks,
Adrian

[TrevorH]

Thanks for the heads up, I have passed this on to the people that build Stream. However, all is not quite as you think, the fixed version is in fact there and available but someone has given it the wrong version number so it's not seen by yum/dnf because it's lower than the one you see without the fix. so until that is sortedd out, if you yum downgrade polkit you will get http://mirror.centos.org/centos/8-strea ... x86_64.rpm which was built in March and does include that CVE in its changelog.

Hopefully someone will either rename it or rebuild it with a higher nvr than the broken one!

[TrevorH]

I'm told it is being rebuilt and republished from polkit-0.115-13.0.1.el8.2.src.rpm and will go out as part of an update push later on today.

[adrian27]

Thank you so much for this
Adrian