CVE-2021-4115 and polkit package

Support for security such as Firewalls and securing linux
Post Reply
adrian27
Posts: 18
Joined: 2020/02/06 12:04:15

CVE-2021-4115 and polkit package

Post by adrian27 » 2022/05/19 14:11:47

Hello,

Just wanted to kindly add a reminder that as of today, there is no CVE-2021-4115 fix for CentOS Stream 8, even if this has been fixed in RHEL 8 and other clones like Rocky Linux and AlmaLinux for some time now.

As you can see from this link https://access.redhat.com/errata/RHSA-2022:1546, the CVE-2021-4115 has been fixed in polkit-0.115-13.el8_5.2. However for CentOS Stream 8, the latest polkit package is polkit-0.115-13.el8_5.1 (5.1 instead of 5.2), as can be seen from the list of packages here http://mirror.centos.org/centos/8-strea ... /Packages/.

Any clue how long is Red Hat planning to keep the CentOS Stream 'behind' the RHEL 8? My understanding is that CentOS Stream should be ahead of RHEL 8, but is not according to this. Or am I looking in the wrong places to the correct packages?

Thanks,
Adrian

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-4115 and polkit package

Post by TrevorH » 2022/05/19 14:28:11

Thanks for the heads up, I have passed this on to the people that build Stream. However, all is not quite as you think, the fixed version is in fact there and available but someone has given it the wrong version number so it's not seen by yum/dnf because it's lower than the one you see without the fix. so until that is sortedd out, if you yum downgrade polkit you will get http://mirror.centos.org/centos/8-strea ... x86_64.rpm which was built in March and does include that CVE in its changelog.

Hopefully someone will either rename it or rebuild it with a higher nvr than the broken one!
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-4115 and polkit package

Post by TrevorH » 2022/05/19 14:43:06

I'm told it is being rebuilt and republished from polkit-0.115-13.0.1.el8.2.src.rpm and will go out as part of an update push later on today.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

adrian27
Posts: 18
Joined: 2020/02/06 12:04:15

Re: CVE-2021-4115 and polkit package

Post by adrian27 » 2022/05/19 21:48:21

Thank you so much for this
Adrian

Post Reply