How to reliably update python 3.6 system packages at /usr/lib/python3.6/site-packages/

I am trying address CVE-2022-29217 issue reported on “pyjwt” package at “/usr/lib/python3.6/site-packages/PyJWT-1.6.1-py3”. Since it is used by system as well, how to go about addressing this security issue.

Appreciate your response/guidance.

thanks,

Since it’s a system package, then you would have to be waiting for RHEL to address it, and then the package in Rocky would also have the fix. However, in this case, it’s real easy enough to check:

[root@rocky9 ~]# dnf changelog python3-jwt | grep CVE
- Fix CVE-2022-29217 (#2088546)

assuming you were referring to Rocky 9. If Rocky 8, then usually fixes are backported if they are needed for earlier package versions. According to RHEL page: cve-details they will not fix for RHEL8, so Rocky 8 won’t have it either.

1 Like