About CVEs in RHEL based distros

Hi All,

I have a somewhat simple question about RHEL-Based distros and how they deal with patches.
I know that RHEL backports security patches, and I found the search at redhat.com/security/cve/ to be great.
I’m working from an external scan and specifically on CVE-2023-3446. The system in question is “Rocky 9.3 (Blue Onyx)”. Grepping the change log for the package turns up nothing, and searching Red Hat’s security site only mentions RHEL 8 and other products.

Can I assume that something patched on RHEL 8 is patched on 9? if so is there a way of verifying it?

rpm -q openssl

rpm -q --changelog openssl | grep CVE-2023-3446
<no result>


The cve-details lists RHEL 9 too, as Affected. (Except the compat-openssl11 that is Will not fix.)

One big difference between el8 and el9 is that the former has openssl 1.1.1(something), but el9 has openssl 3 (and that compat-openssl11). Big changes.

The RHEL 8 has got a patch Dec 2023 or later. The RHEL 9 development has branched way before May 2022. The el9 is a distinct branch, so fixing something in el8 branch will not automatically fix the other branches. Furthermore, since the openssl is so different, the port wont be a simple “copy-paste”.

Red Hat writes:

“Affected” means that our Analysis Team has determined that this product is affected by this vulnerability and might release a fix to address this in the near future.

We can thus assume that Rocky 9 is affected by the CVE-2023-3446 – not patched.

Thank you so much for that very detailed explanation that makes it more clearly. I failed to see that the results on the cve browser had multiple pages.

Again Thanks for your time

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.