Note for Release ARTists: Follow this procedure to attach flaws bug and convert RHBAs to RHSAs if needed: https://github.com/openshift/art-docs/blob/master/4.y.z-stream.md#attach-first-fix-cve-flaw-bugs

Sub-task to review the release's advisories and ensure the security metadata is accurate. All CVE fixes need to be shipped in RHSAs and RHSAs require review from Product Security.

Required checks

• elliott --group openshift-4.8 find-cve-trackers
  • All CVE tracker bugs in MODIFIED or later are attached to RHSAs
• elliott validate-rhsa <id>
  • No issues reported (aside from text/spelling issues)
  • Y-stream/4.y.0 releases can have false positive warnings related to "first fix" rule
• All builds that include CVE fixes are attached to correct RHSAs
  • E.g. Both el7/el8 openshift (hyperkube) builds are attached to rpm RHSA if there's an openshift CVE tracker bug

Optional checks

• CVE tracker bugs status updates haven't been overlooked
  • E.g. bugs stuck in POST or multiple bugs fixed by same PR
• Go compiler version hasn't changed (indicates Go stdlib CVE fix may be included)
  • E.g. elliott get-golang-versions <advisory-id>
• Source code diff between previous release (to catch potential CVE fixes)
  • Diff between releases can be done here: https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/

Product Security contacts:

prodsec-openshift@redhat.com
secalert@redhat.com

References:

Security bug types
Security errata first fix policy
ProdSec erratum review