Hello,
munge has a security vulnerability for versions below 0.5.17, Rocky versions are 0.5.13 and 0.5.15 respectively. There is a patch available in version 0.5.18:
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh
Rocky is based on RHEL packages, so RHEL need to fix it before it appears in Rocky. RHEL backport fixes as well if required if the fix is provided in a higher version than the distro currently has.
The bug report is here:
1 Like
How does Rocky handle bugs that Red Hat does not fix on time?
You should know that Rocky is derived from RHEL, so everything that happens in Rocky depends on RHEL. Once RHEL fix, then Rocky will have it. If RHEL decide not to fix, then it doesn’t appear in Rocky. That is how it is. This is the same for all the EL derivatives, including Almalinux, etc.
Looks like RHEL put out an updated package yesterday, so we should see it soon. https://access.redhat.com/errata/RHSA-2026:2949
I see fixes available for some RHEL versions now: cve-details, but we are specifically waiting for the fix in RHEL 8. Since we are running AlmaLinux 8 (which tracks RHEL 8), the updated package will be available in AlmaLinux once Red Hat releases the fix for RHEL 8 and it is rebuilt and published downstream. Not sure where to ask if they’re working on it and the expected patch release date because we’re anxiously waiting for it
On list of affected RHEL versions, all but the “latest 8, 9, and 10” have received updates Feb 18 or Feb 19. The munge in them is same version as in those earlier branches, which have already received the update. Therefore, it should be trivial to apply the same patch to identical sources, build, and test.
Therefore, it should be safe to assume that Red Hat is working on it.
How long does it take? Considering the amount I pay for Rocky Linux: “it is done when it is done”.
2 Likes