-
Sub-task
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
None
-
False
-
False
-
Not Set
-
No
-
Not Set
-
Not Set
-
Not Set
-
Undefined
-
Note for Release ARTists: Follow this procedure to attach flaws bug and convert RHBAs to RHSAs if needed: https://github.com/openshift/art-docs/blob/master/4.y.z-stream.md#attach-first-fix-cve-flaw-bugs
Sub-task to review the release's advisories and ensure the security metadata is accurate. All CVE fixes need to be shipped in RHSAs and RHSAs require review from Product Security.
Must check
- All CVE tracker bugs in MODIFIED or later are attached to RHSAs
- E.g. `$ elliott --group openshift-4.6 find-cve-trackers`
- All builds that include CVE fixes are attached to correct RHSAs
- E.g. Both el7/el8 `openshift` builds are attached to rpm RHSA if there's an `openshift` CVE tracker bug
Good to check
- CVE tracker bugs status updates haven't been overlooked
- E.g. bugs stuck in POST or multiple bugs fixed by same PR
- Go compiler version hasn't changed (indicates Go stdlib CVE fix may be included)
- E.g. `$ elliott get-golang-versions <advisory-id>`
- Source code diff between previous release (to catch potential CVE fixes)
- Diff between releases can be done here: https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/
Product Security contacts:
prodsec-openshift@redhat.com
secalert@redhat.com
References:
Security bug types
Security errata first fix policy
ProdSec erratum review