We have updated to package ipa-server-4.9.13-20.module+el8.10.0+2066+d74ade98.x86_64 due to CVE-2025-7493. However, we are not completely sure that this package fully resolves the issue.
If we search for this CVE in https://errata.build.resf.org/, we only found information for Rocky Linux 9 and Rocky Linux 10. Could someone please confirm that this is the correct package?
According to Red Hat the issue is solved in version 4.9.13-20.module+el8.10.0+23534+744f3864. Since the build/release numbers do not exactly match, we are uncertain.
The build numbers (as they are module packages) will not directly match Red Hat’s. However the version is correct. You can check the change log of the package:
* Thu Sep 11 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-20
- Refactor ipatests for unique krbcanonicalname
Resolves: RHEL-110061
* Thu Sep 11 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-19
- Enforce uniqueness across krbprincipalname and krbcanonicalname
ipa-kdb: enforce PAC presence on TGT for TGS-REQ
ipatests: extend test for unique krbcanonicalname
Resolves: RHEL-110061
You’re right to double-check. The package you mentioned appears to address the same CVE, but Rocky Linux build numbers often differ slightly from Red Hat’s due to their rebuild process. As long as your version includes the security fix backported from upstream (which it should, given the 4.9.13-20 tag), you’re covered. To be absolutely sure, you can confirm by checking the changelog with: