-
Bug
-
Resolution: Done
-
Major
-
None
-
Important
-
5
-
** Note that this is a public ticket, please refrain from adding any sensitive data. **
Description of Problem
Before opening this JIRA, The CVE https://access.redhat.com/security/cve/CVE-2014-0241 used to show "Red Hat Satellite 6" as affected and "Red Hat Satellite 6.0" as fixed.
Once reached out to secalert@redhat.com for this + few other CVEs, The SR INC3253909 was opened and many of the CVE information were corrected including this one.
Now if we open the CVE, it shows a list of two "Red Hat Satellite 6.0" and the status is Fixed. But if i register a Satellite 6.11 or 6.14 or 6.15 with Red Hat Insights, then the satellite still shows up as affected by the CVE CVE-2014-0241 and that is very much misleading.
How reproducible
Always
Steps to Reproduce
- Install a Satellite 6.X version
- Register it with insights
- Check the system profile in Insights Inventory and then navigate to the list of CVEs.
Actual Behavior
If we clear the "Available" filter, then among many, CVE-2014-0241 is also showing up as affecting the system which it should not.
Expected Behavior
No such false-positives
Business Impact / Additional info
End-users cannot trust the data provided by RedHat on CVEs due to many false-positives reported by the Vulnerability service