Our standard linux environment team uses a patch policy via WebUI to patch CentOS. The policy criteria includes any severity except for unspecified, and category = “security”.
A recent 3rd party tool found that nearly all our CentOS linux systems were exposed to a vim vulnerability (CESA-2019:1619).
A second review of the Patches for CentOS 7 site found this fixlet published: CEBA-2020:5432 - Vim Bug Fix and Enhancement Update - CentOS 7 x86_64
Category: Bug Fix Advisory
The fixlet does address the vulnerability (according to our 3rd party scanning solution). So, no issue in following up to address these using an action. My questions are about how and why certain categories are used and what can HCL do to re-categorize/re-pushlish the fixlet.
- Is there a reason there isn’t a specific fixlet published for CESA-2019:1619?
- Could the related CVE be added to the existing fixlet?
- Can HCL re-publish it as either a security update or at least not use unspecified severity?