Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.1
Component/s: crypto-policies
Labels:
- Accepted
- CY25Q3

Fixed in Build:
crypto-policies-20250905-2.gitc7eb7b2.el10_1
Regression:
No
Severity:
Moderate
Epic Link:
CRYPTO-16330
sprint_count:
1

AssignedTeam:
rhel-security-crypto-spades

Dev Target Milestone:
31
Internal Target Milestone:
32
Story Points:
0.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
Crypto25September
Release Blocker:
Approved Exception

Acceptance Criteria:

Hide

AC) With RHEL-10.0 and crypto-policies-pq-preview installed you can update the system to RHEL-10.1. Package crypto-policies-pq-preview will be removed but if TEST-PQ subpolicy is active, it will remain so after the update (although it is different on 10.1 and 10.0)

Show
AC) With RHEL-10.0 and crypto-policies-pq-preview installed you can update the system to RHEL-10.1. Package crypto-policies-pq-preview will be removed but if TEST-PQ subpolicy is active, it will remain so after the update (although it is different on 10.1 and 10.0)
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/148296
Gating Tests:

Not Needed
Test Coverage:

Manual

Release Note Type:
Unspecified Release Note Type - Unknown
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

All

PX Impact Score:
PX Impact Range:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

We have crypto-policies from 10.0 + crypto-policies-pq-preview to enable PQ crypto in RHEL 10.0

# dnf update
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
rhel                                                                                                                                                 44 MB/s | 1.5 MB     00:00
rhel-AppStream                                                                                                                                       48 MB/s | 1.5 MB     00:00
Error:
 Problem 1: package crypto-policies-pq-preview-20250214-1.gitfd9b9b9.el10_0.1.noarch from @System requires crypto-policies = 20250214-1.gitfd9b9b9.el10_0.1, but none of the providers can be installed
  - cannot install both crypto-policies-20250804-1.git2ca4115.el10.noarch from rhel and crypto-policies-20250214-1.gitfd9b9b9.el10_0.1.noarch from @System
  - cannot install both crypto-policies-20250214-1.gitfd9b9b9.el10_0.1.noarch from rhel-updates and crypto-policies-20250804-1.git2ca4115.el10.noarch from rhel
  - cannot install the best update candidate for package crypto-policies-pq-preview-20250214-1.gitfd9b9b9.el10_0.1.noarch
  - cannot install the best update candidate for package crypto-policies-20250214-1.gitfd9b9b9.el10_0.1.noarch
 Problem 2: problem with installed package crypto-policies-pq-preview-20250214-1.gitfd9b9b9.el10_0.1.noarch
  - package crypto-policies-pq-preview-20250214-1.gitfd9b9b9.el10_0.1.noarch from @System requires oqsprovider, but none of the providers can be installed
  - package crypto-policies-pq-preview-20250214-1.gitfd9b9b9.el10_0.1.noarch from rhel-AppStream-updates requires oqsprovider, but none of the providers can be installed
  - package openssl-1:3.5.1-3.el10.x86_64 from rhel obsoletes oqsprovider < 0.9.0 provided by oqsprovider-0.8.0-5.el10.x86_64 from @System
  - package openssl-1:3.5.1-3.el10.x86_64 from rhel obsoletes oqsprovider < 0.9.0 provided by oqsprovider-0.8.0-5.el10.x86_64 from rhel-AppStream
  - package openssl-1:3.5.1-3.el10.x86_64 from rhel obsoletes oqsprovider < 0.9.0 provided by oqsprovider-0.8.0-5.el10.x86_64 from rhel-AppStream-updates
  - cannot install the best update candidate for package openssl-1:3.2.2-16.el10.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

What is the impact of this issue to you?

On upgrade from 10.0 to 10.1 the crypto policies should remove crypto-policies-pq-preview

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

links to

centos-stream/rpms/crypto-policies!73: Add Obsoletes: crypto-policies-pq-preview

RHBA-2025:148296 crypto-policies bug fix and enhancement update

Assignee:: Clemens Lang

Reporter:: Dmitry Belyavskiy

Developer:: Clemens Lang

QA Contact:: Ondrej Moris

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/09/04 9:37 AM

Updated:: 2025/10/10 10:02 AM

Dev Target end:: 2025/09/29

Target end:: 2025/10/06

Next Planned Release Date:: 2025/11/11

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide