About CVEs in RHEL based distros

Hi All,

I have a somewhat simple question about RHEL-Based distros and how they deal with patches.
I know that RHEL backports security patches, and I found the search at redhat.com/security/cve/ to be great.
I’m working from an external scan and specifically on CVE-2023-3446. The system in question is “Rocky 9.3 (Blue Onyx)”. Grepping the change log for the package turns up nothing, and searching Red Hat’s security site only mentions RHEL 8 and other products.

Can I assume that something patched on RHEL 8 is patched on 9? if so is there a way of verifying it?

rpm -q openssl

rpm -q --changelog openssl | grep CVE-2023-3446
<no result>


The cve-details lists RHEL 9 too, as Affected. (Except the compat-openssl11 that is Will not fix.)

One big difference between el8 and el9 is that the former has openssl 1.1.1(something), but el9 has openssl 3 (and that compat-openssl11). Big changes.

The RHEL 8 has got a patch Dec 2023 or later. The RHEL 9 development has branched way before May 2022. The el9 is a distinct branch, so fixing something in el8 branch will not automatically fix the other branches. Furthermore, since the openssl is so different, the port wont be a simple “copy-paste”.

Red Hat writes:

“Affected” means that our Analysis Team has determined that this product is affected by this vulnerability and might release a fix to address this in the near future.

We can thus assume that Rocky 9 is affected by the CVE-2023-3446 – not patched.

Thank you so much for that very detailed explanation that makes it more clearly. I failed to see that the results on the cve browser had multiple pages.

Again Thanks for your time