RH Security Advisory how to interpret

Question

I'm on RHEL 7:

[root@localhost ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)

Since I have yum-plugin-security installed I'm looking for security related patches with severity =important. As per the output there's one available.

[root@localhost ~]# yum updateinfo --sec-severity Important
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Updates Information Summary: updates
    1 Important Security notice(s)
updateinfo summary done

If I look further I get details such as the RHSA and CVE:

 [root@localhost ~]# yum updateinfo info --sec-severity Important
    Loaded plugins: product-id, search-disabled-repos, subscription-manager
===============================================================================
  Important: freetype security update
===============================================================================
  Update ID : RHSA-2020:4907
    Release : 0
       Type : security
     Status : final
     Issued : 2020-11-04 09:39:15 UTC
       Bugs : 1890210 - CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png
       CVEs : CVE-2020-15999
Description : FreeType is a free, high-quality, portable font engine that can
            : open and manage font files. FreeType loads, hints,
            : and renders individual glyphs efficiently.
            :
            : Security Fix(es):
            :
            : * freetype: Heap-based buffer overflow due to
            :   integer truncation in Load_SBit_Png
            :   (CVE-2020-15999)
            :
            : For more details about the security issue(s),
            : including the impact, a CVSS score,
            : acknowledgments, and other related information,
            : refer to the CVE page(s) listed in the References
            : section.
   Severity : Important
updateinfo info done

Looking at inux RHSA-2020:4907 --> Updates Packages I can see the packages that contain the fix:

When I check the current version and compare against the one that would be installed in case of an update I can see that the current version is freetype-2.8-14.el7.x86_64 and the to be installed would be the package version that contains the patch Package freetype.x86_64 0:2.8-14.el7_9.1 will be an update:

But I have few questions.

1. Why is the RedHat Security Advisory showing other rpm packages under Updated Packages (please see the ones mark with red question mark). I don't have the freetype-debuginfo, freetype-devel, freetype-demos packages installed. Would I have to have all the listed packages under my OS version and arch in the RHSA be on the same level ??

2. If I install the advisory I don't see any of the above (point 1) mentioned packages being installed / updated:

Could anyone please provide an explanation ?

Thank you !

Answer 1

The other packages are part of the same advisory, but you only need to upgrade them if they are already installed. The debuginfo packages provide debugging information, which is typically only needed if you are investigating a crash in Freetype, or developing with the library; the demos package contains demonstration tools, and the devel packages contain development files which are only needed to build programs using Freetype.

yum update --advisory RHSA-2020:4907

will do the right thing for you: it will upgrade any packages which need to be upgraded, without installing anything extra you don’t need.