we are using Rocky Linux 9.7 with nginx 1.26 enabled which is still not patched for CVE-2026–42945 while Alma Linux has this patched already <https://errata.almalinux.org/9/ALSA-2026-18029.html>
rpm -q --changelog nginx
* Wed Apr 01 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:1.26.3-6
- Resolves: RHEL-157887 - CVE-2026-32647 nginx:1.26/nginx: NGINX: Denial of
Service or Code Execution via specially crafted MP4 files
* Wed Apr 01 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:1.26.3-5
- Resolves: RHEL-159446 - CVE-2026-27651 nginx:1.26/nginx: NGINX: Denial of
Service via undisclosed requests when ngx_mail_auth_http_module is
enabled
We have applied mitigations, but what is the process of patching packages in Rocky? Should I wait or it is better to enable some repo with newest nginx?
The Rocky team is currently working on releasing 9.8 and 10.2, so the update will appear soon. Since RHEL fixed it also in 9.8 this is the reason you don’t see it yet.
Also, Alma is no longer 1:1 with RHEL, it’s ABI compatible which means it’s package versions, etc can vary from a RHEL release. Therefore if they fixed it for 9.7, that is because the ported a fix for it. Although I do see they already released 9.8 and 10.2 which would explain why you see that Alma fixed it. Rocky aims to be 1:1 with RHEL, therefore we don’t do that. Unless it’s critical, then a package would get pushed to the security repo like was done recently for the kernel’s recently when critical LPE CVE’s were found.
So for now, just wait since the release will be soon. You can see the release progress here: Rocky Linux
In the recent Rocky 9.8 release we switched to 1.20.1-28.el9.rocky.0.1.x86_64 version while on 9.7 we had 1.20.1-24.el9_7.3.rocky.0.1 which included fix for a CVE-2026-42945. The 9.8 version is missing this patch. Any chances to fix this issue?
It is fixed in nginx-1.20.1-28.el9_8.2.src.rpm which hasn’t been released in Rocky yet - because Rocky 9.8 was only released yesterday. So expect it being available in the next 24-48 hours.