Packages python-qpid-proton-0.31.0-3.el7 and qpid-proton-c-0.31.0-3.el7 are not available in rhel-7-server-satellite-tools-6.7-rpms repository

Solution Verified - Updated

Environment

  • Red Hat Satellite 6.x
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 7.x
  • Red Hat Enterprise Linux 8.x

Issue

  • If the Red Hat Satellite server is vulnerable to CVE addressed in RHSA-2020:2605?
  • I want to update python-qpid-proton and qpid-proton-c packages to the version 0.31.0-3 on the clients connected to the Red Hat Satellite server.
  • python-qpid-proton-0.31.0-3.el7 and qpid-proton-c-0.31.0-3.el7 packages are missing from rhel-7-server-satellite-tools-6.7-rpms repository.
  • If python-qpid-proton-0.28.0-3.el7 and qpid-proton-c-0.28.0-3.el7 are vulnerable to CVE addressed in RHSA-2020:2605?
  • Security scanner has flagged python-qpid-proton-0.28.0-3.el7 and qpid-proton-c-0.28.0-3.el7 as vulnerable, can we update the packages to the latest available versions?

Resolution

  • The Red Hat Satellite server is not vulnerable to RHSA-2020:2605.
  • The clients connected to the Red Hat Satellite server are not affected by RHSA-2020:2605.
  • The alert can be safely ignored. The current packages are up to date. python-qpid-proton-0.28.0-3.el7 and qpid-proton-c-0.28.0-3.el7 are the latest packages provided by rhel-7-server-satellite-tools-6.7-rpms repository.
  • Updating the packages from any repository other than the satellite-tools is not recommended. It will break the connection with the Satellite server. The clients will not communicate with the Satellite server.
  • This CVE does not affect any packages in the satellite-tools repository.

Root Cause

  • The alert is due to the conflict between qpid-proton packages released in Red Hat AMQ Clients (through RHSA-2020:2605) and the ones with the satellite-tools-6.7-repository. qpid-proton dependency fixed in RHSA-2020:2605 was for Red Hat AMQ Clients only and it doesn't imply that qpid-proton from satellite-tools is affected and needs to be updated. These are two different products with different architecture and code-base.
SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.