/ Register

Join the community today
Register Now

Stable Branch fix cmsec dist_tag_compatible cross-minor false indeterminate in 132.…

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jun 13, 2026 at 6:24 AM.

Previous Thread Next Thread
Loading...
  1. Jun 13, 2026 at 6:24 AM #1
    eva2000

    eva2000 Administrator Staff Member

    58,986
    12,493
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,125
    Local Time:
    7:40 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    fix cmsec dist_tag_compatible cross-minor false indeterminate in 132.00stable

    On hosts running a newer EL minor update stream than the hardcoded baseline
    (e.g. el9_8 vs el9_7 baseline, el10_2 vs el10_1 baseline), dist_tag_compatible()
    rejected the comparison as "refused-cross-vendor", and the RPM changelog fallback
    also failed because newer-stream packages have their own changelogs. All 4 CVEs
    reported "status indeterminate" even though ver_ge() would have correctly found
    the running kernel above the baseline.

    Changes:
    - Add same-EL-major cross-minor fallback at the end of dist_tag_compatible() in
    all 5 check scripts: extract the EL major prefix (.el9, .el10, etc.) from both
    normalised tags; if they match and share the same CloudLinux (.lve) prefix,
    declare compatible and let ver_ge() decide the direction via sort -V
    - Include (h)? in the major-extraction regex to preserve the CL7h suffix,
    keeping .lve.el7h incompatible with .lve.el7 (adversarial review P1 fix)
    - Verified on AlmaLinux 9.8 (el9_8 kernel), Rocky Linux 9.8 (el9_8 kernel),
    and AlmaLinux 10.2 (el10_2 kernel): all 4 affected CVEs now show PATCHED;
    CVE-2026-43500 remains NOT AFFECTED on default installs

    Continue reading...

    132.00stable branch
     
Previous Thread Next Thread
Loading...

.