HELP
Using the Rocky 8.10 BaseOS security metadata to update RPMs required to resolve security vulnerabilities results in the update of 1 vim RPM while leaving several other installed associated vim RPMs unchanged. The document https://access.redhat.com/errata/RHSA-2026:4442 specifies a number of vim RPMs that need to be updated to resolve the vulnerability. After the issue was discovered by scanning I had to manually upgrade the remaining vim RPMs.
Not clear why the metadata entry did not list the other vim RPMs that needed to be updated
The incomplete updateinfo metadata is a known issue that surfaces periodically in Rocky Linux repos. What happens is the updateinfo.xml advisory entry only lists the package names that were in the original errata build, and if a rebuild or additional sub-package was added later it can miss the full list.
The immediate fix is to update all vim packages directly regardless of what the security metadata says:
dnf update ‘vim*’ xxd
This catches vim-common, vim-enhanced, vim-filesystem, vim-minimal, and xxd which are all part of the same CVE fix in the upstream advisory.
To verify nothing is left behind after the update:
rpm -qa ‘vim*’ xxd | sort
dnf updateinfo list security | grep vim
If your vulnerability scanner is keying off specific RPM versions rather than the CVE advisory, check the installed version against the fixed version in the RHSA. For RHSA-2024:4442 the fixed version should be 2:8.0.1763-19.el8_10.x86_64 or later.
Worth reporting this to the Rocky Linux bug tracker at bugs.rockylinux.org with the CVE number and the list of packages that were missing from the updateinfo entry. The maintainers can patch the updateinfo metadata for the advisory so scanners pick it up correctly on the next metadata sync.
thanks for the info regarding what could cause the problem