Apollo: Potential bug in module version parsing

[skip77]

This was pointed out to me, and I'm relaying the concern as an issue here.

There are currently 3 builds of the httpd module in Rocky 8.7. These are the httpd version numbers (and module info):

httpd-2.4.37-51.module+el8.7.0+1059+126e9251
httpd-2.4.37-51.module+el8.7.0+1155+5163394a.1
httpd-2.4.37-51.module+el8.7.0+1182+86a6cd60.5

(note the .1 and .5 after the module info)

I believe these 3 releases coincide with these errata, listed in the same order:

https://errata.rockylinux.org/RLSA-2022:7647
https://errata.rockylinux.org/RLSA-2023:0852
https://errata.rockylinux.org/RLSA-2023:1673

Looking at the errata pages, I noticed something is off: All of the affected package versions are listed as the original module release (2.4.37-51.module+el8.7.0+1059+126e9251) The unique module build string from the .1 and .5 updates are not there, and the trailing .1 and .5 are ignored.

I can tell these errata are valid due to the CVEs they solve, they match up closely to the RPM changelog. But it seems like Apollo doesn't tell them apart as separate versions, possibly because it is ignoring that trailing digit and treating each one as the same? (httpd-2.4.37-51)

I don't believe RLSA-2023:0852 and RLSA-2023:1673 are making it into DNF's updateinfo due to this issue. I can't find them from my Rocky 8 system.

Thanks, hope this makes sense

-Skip