My apologies for confusion over version – I meant 4.3, not 4.4 We support/ship 4.3 to our customers right now – we will be moving to 4.4 later this year [oracle-email-sig-198324-355094] Gregory King | Software Development Manager | +1.303.272.2427 Oracle Virtualization Sustaining Engineering 500 Eldorado Boulevard Build 5 | Broomfield Colorado 80021 Mobile: +1.303.968.8169 | Fax: +1.303.272.2427 From: Sandro Bonazzola [mailto:sbonazzo@redhat.com] Sent: Monday, May 24, 2021 12:26 AM To: Greg King <greg.king(a)oracle.com&gt; Cc: devel(a)ovirt.org; John Priest <john.priest(a)oracle.com>; Shubha Kulkarni <shubha.kulkarni(a)oracle.com>; Cameron Tarvin <cameron.tarvin(a)oracle.com&gt; Subject: [External] : Re: [ovirt-devel] Security question: rh-postgresql10-postgresql-10.6-1 Il giorno dom 23 mag 2021 alle ore 09:25 Greg King <greg.king@oracle.com<mailto:greg.king@oracle.com>> ha scritto: Situation: We have a couple customer bugs where the current version of rh-postgresql10 is getting flagged in security scans: rh-postgresql10-postgresql-10.6-1.el7.x86_64 We noticed from this Red Hat security advisory that the security problem is resolved with this version of the package: • Advisory: https://access.redhat.com/errata/RHSA-2020:5316<https://urldefense.com... • Package: rh-postgresql10-postgresql-10.15-1.el7.x86_64 However, oVirt 4.4 still includes 10.6-1 and not 10.15-1 Please note oVirt 4.4 is not using PostgreSQL 10, it's using 12. For instance, 4.4.6 appliance uses: postgresql-12.5-1.module_el8.4.0+597+7b8b5722.x86_64 postgresql-contrib-12.5-1.module_el8.4.0+597+7b8b5722.x86_64 postgresql-server-12.5-1.module_el8.4.0+597+7b8b5722.x86_64 Question: We need to let customers know why rh-postgresql10-postgresql-10.15-1.el7.x86_64 is not included with the latest errata release of oVirt 4.4 Is there an written policy or communication from the community one way or the other regarding the security vulnerability resolved with rh-postgresql10-postgresql-10.15-1.el7.x86_64? (IE: it was reviewed and found not to be applicable, it will be in the next errata release, etc – something along those lines) [oracle-email-sig-198324-355094] Gregory King | Software Development Manager | +1.303.272.2427 Oracle Virtualization Sustaining Engineering 500 Eldorado Boulevard Build 5 | Broomfield Colorado 80021 Mobile: +1.303.968.8169 | Fax: +1.303.272.2427 _______________________________________________ Devel mailing list -- devel@ovirt.org<mailto:devel@ovirt.org> To unsubscribe send an email to devel-leave@ovirt.org<mailto:devel-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html<https://urldefense.com/v3/__... oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/<https://ur... List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/ND2737GQUTM... -- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA<https://urldefense.com/v3/__https:/www.redhat.com/__;!!GqivPVa7Br... sbonazzo@redhat.com<mailto:sbonazzo@redhat.com> [https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png]&... Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours. <https://urldefense.com/v3/__https:/mojo.redhat.com/docs/DOC-1199578__;!!G...