XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • False
    • ?
    • No
    • ?
    • ?
    • ?
    • undefined

      Note for Release ARTists: Follow this procedure to attach flaws bug and convert RHBAs to RHSAs if needed: https://github.com/openshift/art-docs/blob/master/4.y.z-stream.md#attach-first-fix-cve-flaw-bugs


      Sub-task to review the release's advisories and ensure the security metadata is accurate. All CVE fixes need to be shipped in RHSAs and RHSAs require review from Product Security.

      Required checks

      • elliott --group openshift-4.8 find-cve-trackers
        • All CVE tracker bugs in MODIFIED or later are attached to RHSAs
      • elliott validate-rhsa <id>
        • No issues reported (aside from text/spelling issues)
        • Y-stream/4.y.0 releases can have false positive warnings related to "first fix" rule
      • All builds that include CVE fixes are attached to correct RHSAs
        • E.g. Both el7/el8 openshift (hyperkube) builds are attached to rpm RHSA if there's an openshift CVE tracker bug

      Optional checks

      • CVE tracker bugs status updates haven't been overlooked
        • E.g. bugs stuck in POST or multiple bugs fixed by same PR
      • Go compiler version hasn't changed (indicates Go stdlib CVE fix may be included)
        • E.g. elliott get-golang-versions <advisory-id>
      • Source code diff between previous release (to catch potential CVE fixes)

      Product Security contacts:

      prodsec-openshift@redhat.com
      secalert@redhat.com

      References:

      Security bug types
      Security errata first fix policy
      ProdSec erratum review

              sfowler@redhat.com Sam Fowler
              openshift-art-jira-bot ART Bot
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: