Howdy Folks
I have an AlmaLinux 8.9 host with free-ipa installed.
Yesterday I update the host from AlmaLinux 8.6 to AlmaLinux 8.9 , after it I checked on Aws inspector and the host showed the following vulnerables packages:
- httpcomponents-client-4.5.5-5.module_el8.6.0+2752+f1f3449e.noarch
- apache-commons-codec-1.11-3.module_el8.6.0+2752+f1f3449e.noarch
- slf4j-jdk14-1.7.25-4.module_el8.5.0+2577+9e95fe00.noarch
- slf4j-1.7.25-4.module_el8.6.0+2752+f1f3449e.noarch
- httpcomponents-core-4.4.10-3.module_el8.6.0+2752+f1f3449e.noarch
- apache-commons-lang3-3.7-3.module_el8.6.0+2752+f1f3449e.noarch
The host has all packages up to day but there are newer version of those ‘affected’ packages listed in aws inspector.
The host has only one module installed which is idm (FreeIPA)
dnf module list --installed
Last metadata expiration check: 0:32:03 ago on Thu 18 Jan 2024 05:07:20 PM UTC.
AlmaLinux 8 - AppStream
Name Stream Profiles Summary
idm DL1 [e] adtrust, client [i], common [d] [i], dns, server [i] The Red Hat Enterprise Linux Identity Management system module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
dnf repolist
repo id repo name
appstream AlmaLinux 8 - AppStream
baseos AlmaLinux 8 - BaseOS
epel Extra Packages for Enterprise Linux 8 - x86_64
extras AlmaLinux 8 - Extras
zabbix Zabbix Official Repository - x86_64
zabbix-agent2-plugins Zabbix Official Repository (Agent2 Plugins) - x86_64
dnf update
Last metadata expiration check: 0:32:23 ago on Thu 18 Jan 2024 05:07:20 PM UTC.
Dependencies resolved.
Nothing to do.
Complete!
I checked which other modules will have newer version of the affected packages and try to enable those modules and see if I can update them.
httpcomponents-client-4.5.10-4.module_el8.8.0+3546+09d25189.noarch
Module : maven:3.6:8080020230411074401:7dadbc74:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
httpcomponents-client-4.5.13-5.module_el8.8.0+3547+dbd3d703.noarch
Module : maven:3.8:8080020230411075215:89d92b8f:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
httpcomponents-client-4.5.5-5.module_el8.6.0+2752+f1f3449e.noarch
Module : maven:3.5:8060020220530101136:dca7b4a4:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
Last metadata expiration check: 0:08:58 ago on Wed 17 Jan 2024 06:53:56 PM UTC.
apache-commons-codec-1.11-3.module_el8.6.0+2752+f1f3449e.noarch
Module : maven:3.5:8060020220530101136:dca7b4a4:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
apache-commons-codec-1.13-3.module_el8.8.0+3546+09d25189.noarch
Module : maven:3.6:8080020230411074401:7dadbc74:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
apache-commons-codec-1.15-7.module_el8.8.0+3547+dbd3d703.noarch
Module : maven:3.8:8080020230411075215:89d92b8f:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
Last metadata expiration check: 0:09:00 ago on Wed 17 Jan 2024 06:53:56 PM UTC.
slf4j-1.7.25-4.module_el8.5.0+2577+9e95fe00.noarch
Module : pki-deps:10.6:8070020221012121937:9edba152:x86_64
Profiles :
Repo : appstream
Summary : PKI Dependencies module for PKI 10.6 or later
slf4j-1.7.25-4.module_el8.6.0+2752+f1f3449e.noarch
Module : maven:3.5:8060020220530101136:dca7b4a4:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
slf4j-1.7.28-3.module_el8.8.0+3546+09d25189.noarch
Module : maven:3.6:8080020230411074401:7dadbc74:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
slf4j-1.7.32-4.module_el8.8.0+3547+dbd3d703.noarch
Module : maven:3.8:8080020230411075215:89d92b8f:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
Last metadata expiration check: 0:09:01 ago on Wed 17 Jan 2024 06:53:56 PM UTC.
httpcomponents-core-4.4.10-3.module_el8.6.0+2752+f1f3449e.noarch
Module : maven:3.5:8060020220530101136:dca7b4a4:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
httpcomponents-core-4.4.12-3.module_el8.8.0+3546+09d25189.noarch
Module : maven:3.6:8080020230411074401:7dadbc74:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
httpcomponents-core-4.4.13-7.module_el8.8.0+3547+dbd3d703.noarch
Module : maven:3.8:8080020230411075215:89d92b8f:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
Last metadata expiration check: 0:09:03 ago on Wed 17 Jan 2024 06:53:56 PM UTC.
apache-commons-lang3-3.12.0-7.module_el8.8.0+3547+dbd3d703.noarch
Module : maven:3.8:8080020230411075215:89d92b8f:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
apache-commons-lang3-3.7-3.module_el8.6.0+2752+f1f3449e.noarch
Module : maven:3.5:8060020220530101136:dca7b4a4:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
apache-commons-lang3-3.9-4.module_el8.8.0+3546+09d25189.noarch
Module : maven:3.6:8080020230411074401:7dadbc74:x86_64
Profiles :
Repo : appstream
Summary : Java project management and project comprehension tool
I tried to enable the maven module version 3.6 or 3.8 but I have an issue with the package slf4j
dnf install slf4j
Last metadata expiration check: 3:38:14 ago on Wed 17 Jan 2024 02:29:37 PM UTC.
Package slf4j-1.7.25-4.module_el8.6.0+2752+f1f3449e.noarch is already installed.
Error:
Problem: problem with installed package slf4j-jdk14-1.7.25-4.module_el8.5.0+2577+9e95fe00.noarch
- package slf4j-jdk14-1.7.25-4.module_el8.5.0+2577+9e95fe00.noarch from @System requires mvn(org.slf4j:slf4j-api) = 1.7.25, but none of the providers can be installed
- package slf4j-jdk14-1.7.25-4.module_el8.5.0+2577+9e95fe00.noarch from appstream requires mvn(org.slf4j:slf4j-api) = 1.7.25, but none of the providers can be installed
- cannot install both slf4j-1.7.32-4.module_el8.8.0+3547+dbd3d703.noarch from appstream and slf4j-1.7.25-4.module_el8.6.0+2752+f1f3449e.noarch from @System
- cannot install both slf4j-1.7.32-4.module_el8.8.0+3547+dbd3d703.noarch from appstream and slf4j-1.7.25-4.module_el8.5.0+2577+9e95fe00.noarch from appstream
- cannot install the best candidate for the job
- package slf4j-1.7.25-4.module_el8.6.0+2752+f1f3449e.noarch from appstream is filtered out by modular filtering
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
dnf install slf4j --allowerasing
Last metadata expiration check: 3:39:05 ago on Wed 17 Jan 2024 02:29:37 PM UTC.
Package slf4j-1.7.25-4.module_el8.6.0+2752+f1f3449e.noarch is already installed.
Dependencies resolved.
=====================================================================================================================================================
Package Architecture Version Repository Size
=====================================================================================================================================================
Upgrading:
slf4j noarch 1.7.32-4.module_el8.8.0+3547+dbd3d703 appstream 79 k
Removing dependent packages:
idm-pki-acme noarch 10.14.3-1.module_el8.8.0+3499+bdda178f @appstream 2.8 M
idm-pki-base-java noarch 10.14.3-1.module_el8.8.0+3499+bdda178f @appstream 768 k
idm-pki-ca noarch 10.14.3-1.module_el8.8.0+3499+bdda178f @appstream 3.3 M
idm-pki-kra noarch 10.14.3-1.module_el8.8.0+3499+bdda178f @appstream 617 k
idm-pki-server noarch 10.14.3-1.module_el8.8.0+3499+bdda178f @appstream 6.0 M
idm-pki-symkey x86_64 10.14.3-1.module_el8.8.0+3499+bdda178f @appstream 106 k
idm-pki-tools x86_64 10.14.3-1.module_el8.8.0+3499+bdda178f @appstream 1.4 M
ipa-healthcheck noarch 0.12-3.module_el8.9.0+3651+d05ea4c5 @appstream 325 k
ipa-server x86_64 4.9.12-11.module_el8.9.0+3715+e4197dc9.alma.1 @appstream 1.1 M
jss x86_64 4.9.4-1.module_el8.7.0+3316+50b99934 @appstream 1.5 M
ldapjdk noarch 4.23.0-1.module_el8.6.0+2764+9fc58d50 @appstream 350 k
slf4j-jdk14 noarch 1.7.25-4.module_el8.5.0+2577+9e95fe00 @appstream 11 k
tomcatjss noarch 7.7.1-1.module_el8.6.0+2764+9fc58d50 @appstream 76 k
Transaction Summary
=====================================================================================================================================================
Upgrade 1 Package
Remove 13 Packages
Total download size: 79 k
Is this ok [y/N]:
How can I update the ‘affected’ packages without removing ipa-server ?
What do you think, so I enable maven 3.6 or maven 3.8 and allowerasing and remove ipa-server? this doesn’t looks good .
Thanks in advance