Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-1152

Missing epoch data in recent Red Hat CSAF rpmmod advisories

XMLWordPrintable

    • Icon: Ticket Ticket
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Very Likely
    • 0

      Description:
      We have observed that recent Red Hat CSAF advisories related to rpmmod are missing the epoch field in the package data section.

      Expected Behavior:
      All CSAF advisories should include full RPM metadata (NEVRA: Name, Epoch, Version, Release, Architecture).

      Actual Behavior:

      • The epoch field is absent in affected CSAF advisories.
      • Earlier advisories included this field, but newer ones omit it, causing inconsistent metadata.

      Impact:

      • Missing epoch values break downstream automation that relies on full NEVRA.
      • Consumers parsing CSAF data may misinterpret packages, leading to inaccurate vulnerability assessments.

      Supporting Data:

      Example from CSAF advisory JSON:

      RPMMOD CSAF


      {{}}

      non RPMMOD CSAF

      Advisories where this issue is observed:

      • RHSA-2024:6148 → CSAF JSON
      • RHSA-2024:6000 → CSAF JSON
      • RHSA-2024:6001 → CSAF JSON

      Request:
      Please confirm if omission of epoch is intentional. If not, can this be corrected for future rpmmod advisories and possibly backfilled in existing CSAF data?

        1. image-2025-09-26-16-16-06-236.png
          354 kB
          Sagar Kale
        2. image-2025-09-26-16-19-06-576.png
          262 kB
          Sagar Kale
        3. image-2025-10-03-14-56-19-493.png
          442 kB
          Sagar Kale

              Unassigned Unassigned
              sagaristhebest Sagar Kale
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: