Doubt about CVE-2025-7493 fix in ipa-server-4.9.13-20.module+el8.10.0+2066+d74ade98 on Rocky Linux 8

Dear all,

We have updated to package ipa-server-4.9.13-20.module+el8.10.0+2066+d74ade98.x86_64 due to CVE-2025-7493. However, we are not completely sure that this package fully resolves the issue.

If we search for this CVE in https://errata.build.resf.org/, we only found information for Rocky Linux 9 and Rocky Linux 10. Could someone please confirm that this is the correct package?

According to Red Hat the issue is solved in version 4.9.13-20.module+el8.10.0+23534+744f3864. Since the build/release numbers do not exactly match, we are uncertain.

Thank you in advance.

Best regards

The build numbers (as they are module packages) will not directly match Red Hat’s. However the version is correct. You can check the change log of the package:

* Thu Sep 11 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-20
- Refactor ipatests for unique krbcanonicalname
  Resolves: RHEL-110061

* Thu Sep 11 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-19
- Enforce uniqueness across krbprincipalname and krbcanonicalname
  ipa-kdb: enforce PAC presence on TGT for TGS-REQ
  ipatests: extend test for unique krbcanonicalname
  Resolves: RHEL-110061

This correlates with this page: cve-details

Hi Louis,

Thank you very much for the confirmation!

You’re right to double-check. The package you mentioned appears to address the same CVE, but Rocky Linux build numbers often differ slightly from Red Hat’s due to their rebuild process. As long as your version includes the security fix backported from upstream (which it should, given the 4.9.13-20 tag), you’re covered. To be absolutely sure, you can confirm by checking the changelog with:

rpm -q --changelog ipa-server | grep CVE-2025-7493

If it’s listed there, your system has the fix

Hi Ani,

Thank you very much. Yes, we checked with rpm -q --changelog, but the CVE was not listed; there is only the information Louis provided.

Cheers,