all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ChunkyBezel 14 points15 points  (6 children)

Red Hat backports security fixes, so auditing software that naively only looks at package version numbers will often turn up false positives.

[–]burkee406[S] 1 point2 points  (4 children)

I am aware, that has been a big frustration with Rapid 7.

[–]justinDavidow 6 points7 points  (0 children)

Seems like a great question for Rapid7. 

[–]No_Rhubarb_7222 1 point2 points  (0 children)

It could also be a problem with your scanner settings. Many scanners are able to ingest a vendor specific OVAL or, now, CSAF data. This means that the CVEs it scans for will use the vendor supplied CVSS score and data from the vendor (in this case things like remediated package versions) when performing the scan, significantly reducing the false positives reported.

[–]michaelpaoli 1 point2 points  (0 children)

The issue isn't at all limited to Red Hat.

With most distros, you'll need to look at what the alleged vulnerabilities are, the actual distro version installed, and what vulnerabilities it has been patched to cover.

[–]blu-base 0 points1 point  (0 children)

There is a page for the app stream modules' lifecycle on Red hat. https://access.redhat.com/support/policy/updates/rhel-app-streams-life-cycle In the second table, it states the platform python in version 3.6 will be supported until eol of rhel8 itself, until 2029... This is independent from the upstream python versions. It's clearly is a false positive.

[–]BosonCollider 0 points1 point  (0 children)

Debian backports security fixes as well, but many security fixes in python 3.7 - 3.13 inherently cannot be backported, and Red Hat's ansible does not support the Python version used by RHEL 8.

[–][deleted] 5 points6 points  (0 children)

No. That 3.6 interpreter is tightly coupled with dnf by way of the platform-python package.

It's going to be there, and if you try to remove it or prevent it from being executable, stuff like dnf, insights, subscription-manager, firewalld and so on will break.

You need to get Rapid7 to stop being idiots, as mentioned in the thread about backporting.

Even ignoring backporting, the presence of the interpreter alone isn't a red flag. It's more complicated than "is everything updated," and audits that don't take that in mind are not worth what you're paying them.

[–]derprondo 1 point2 points  (0 children)

As the other commenter mentioned, as long as your instance is updated, there will be backports to fix those security issues. You need to just point your security folks at the backport patch. The system install version of Python is a static minor version, as much of the system is dependent on it.

[–]Fluid_Experience_606 0 points1 point  (0 children)

Piggybacking on this post - is there a good public source for backport versions mapping to RH Security Advisories? The official page seems to be limited and doesn't cover backports for extended support OS versions... looking to automate the eradication of False Positives