resf
/
distro-tools
mirror of https://github.com/resf/distro-tools.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Apollo: Potential bug in module version parsing #1

New Issue
Closed
opened 2023-04-21 21:16:03 +00:00 by skip · 1 comment
skip commented 2023-04-21 21:16:03 +00:00
Copy Link

This was pointed out to me, and I'm relaying the concern as an issue here.

There are currently 3 builds of the httpd module in Rocky 8.7. These are the httpd version numbers (and module info):

httpd-2.4.37-51.module+el8.7.0+1059+126e9251
httpd-2.4.37-51.module+el8.7.0+1155+5163394a.1
httpd-2.4.37-51.module+el8.7.0+1182+86a6cd60.5

(note the .1 and .5 after the module info)

I believe these 3 releases coincide with these errata, listed in the same order:

https://errata.rockylinux.org/RLSA-2022:7647
https://errata.rockylinux.org/RLSA-2023:0852
https://errata.rockylinux.org/RLSA-2023:1673

Looking at the errata pages, I noticed something is off: All of the affected package versions are listed as the original module release (2.4.37-51.module+el8.7.0+1059+126e9251) The unique module build string from the .1 and .5 updates are not there, and the trailing .1 and .5 are ignored.

I can tell these errata are valid due to the CVEs they solve, they match up closely to the RPM changelog. But it seems like Apollo doesn't tell them apart as separate versions, possibly because it is ignoring that trailing digit and treating each one as the same? (httpd-2.4.37-51)

I don't believe RLSA-2023:0852 and RLSA-2023:1673 are making it into DNF's updateinfo due to this issue. I can't find them from my Rocky 8 system.

Thanks, hope this makes sense

-Skip

This was pointed out to me, and I'm relaying the concern as an issue here. There are currently 3 builds of the httpd module in Rocky 8.7. These are the httpd version numbers (and module info): httpd-2.4.37-51.module+el8.7.0+1059+126e9251 httpd-2.4.37-51.module+el8.7.0+1155+5163394a.1 httpd-2.4.37-51.module+el8.7.0+1182+86a6cd60.5 (note the .1 and .5 after the module info) I believe these 3 releases coincide with these errata, listed in the same order: https://errata.rockylinux.org/RLSA-2022:7647 https://errata.rockylinux.org/RLSA-2023:0852 https://errata.rockylinux.org/RLSA-2023:1673 Looking at the errata pages, I noticed something is off: All of the affected package versions are listed as the original module release (2.4.37-51.module+el8.7.0+1059+126e9251) The unique module build string from the .1 and .5 updates are not there, and the trailing .1 and .5 are ignored. I can tell these errata are valid due to the CVEs they solve, they match up closely to the RPM changelog. But it seems like Apollo doesn't tell them apart as separate versions, possibly because it is ignoring that trailing digit and treating each one as the same? (httpd-2.4.37-51) I don't believe RLSA-2023:0852 and RLSA-2023:1673 are making it into DNF's updateinfo due to this issue. I can't find them from my Rocky 8 system. Thanks, hope this makes sense -Skip
skip commented 2023-04-21 21:21:46 +00:00
Author
Copy Link

Re-opening in the github repo. Disregard this one.

Re-opening in the github repo. Disregard this one.
skip closed this issue 2023-04-21 21:21:46 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
dependabot/pip/pip-30c550baa4
osv-changes
misc-rherrata-fixes
ua-rherrata
allow-char-in-ver
apollo/rhworker-cron-refactor
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: resf/distro-tools#1
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?