CVE-2022-22720 Apache Vulnerability and ongoing app security patches

Hello all, I have probably a 2 part question relating to a specific CVE and ongoing security patching. Feel free to tell me off if I’ve missed something in my research :slightly_smiling_face:.

Regarding CVE-2022-22720, RedHat has patched this vulnerability through backporting (httpd-2.4.37-43.module+el8.5.0+14530+6f259f31.3.x86_64.rpm -Red Hat Customer Portal - Access to 24x7 support and knowledge) and it looks like Rocky’s latest backported 2.4.37 is 43.module+el8.5.0+747+83fae388.3. As the priority and severity of this is high, when can we expect a corresponding release (I don’t know if Rocky keeps the same number scheme if if it would be 14530) of Apache?

In relation to ongoing CVE’s and bug tracking, I know Rocky has errata ( but is there a bugzilla 'esque location where the community might be able to check a CVE’s release roadmap?

Red Hat has released that httpd 2022-03-24. The date of that Rocky’s httpd is 2022-03-24.
The previous releases for RHEL and Rocky were 2022-03-15.

There is a pattern on these AppStream packages:
httpd-2.4.37-43.module+el8.5.0 +14530+6f259f31 .3.x86_64
httpd-2.4.37-43.module+el8.5.0 +747+83fae388 .3.x86_64
httpd-2.4.37-43.module_el8.5.0 +2631+6f259f31 .3.alma.x86_64 (Note, Alma’s date is 2022-03-25)

You can always run rpm -q --changelog httpd

Thanks for the tip, so very useful! With “rpm -q --changelog httpd” I was able to get the reference to the CVE (which the latest patch resolved) and everything.