Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-85152

BuildRequires should reflect necessary versions for CVE mitigation [rhel-9]

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Minor Minor
    • rhel-9.7
    • CentOS Stream 9
    • gcc
    • None
    • None
    • 1
    • rhel-pt-gcc
    • ssg_platform_tools
    • 1
    • No
    • CentOS Stream, Red Hat Enterprise Linux
    • PT GCC 2025 S05
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • All
    • None

      I was recently patching some systems for `CVE-2020-11023 (RHEL-78377)`. While researching the issue, I discovered that the BuildRequires for `doxygen` has not been updated from `doxygen >= 1.7.1`. 

      According to the Koji Package Logs, the patched `gcc` packages were built against `doxygen-1.9.1-12.el9`, which is patched for this CVE. Should the upstream packages not have their BuildRequires statements updated in the spec file to ensure anyone else who might be building from source RPM is patched?

              siddhesh.poyarekar Siddhesh Poyarekar
              dylan.z.redding@gmail.com Dylan Redding (Inactive)
              SST PT GCC Bot SST PT GCC Bot
              Vaclav Kadlcik Vaclav Kadlcik
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: