I have a question about the recent serious CVE-2023-4911 and whether it applies to Rocky 8.8.
When I click on the respective RHEL page for this CVE (cve-details), it says that it affects “Red Hat Enterprise 8”. Under “Statement”, it says:
This vulnerability was introduced in glibc 2.34 in commit 2ed18c. The commit that introduced the vulnerability was backported to RHEL-8.6 and is affected.
I (may incorrectly) take this to believe that the vulnerability exists in RHEL 8.6. However, wouldn’t anything in 8.6 also impact 8.7 and 8.8 unless previously patched? And how could it have been previously patched if the vulnerability was just announced?
If I go further and look at this more detailed Red Hat errata (https://access.redhat.com/errata/RHSA-2023:5455) it says that the updated version of glibc is, for example, glibc-2.28-225.el8_8.6.x86_64.rpm, but the glibc-2.28-255 version is already what was already applied to Rocky 8.8 many months ago! Does this mean that 8.8 is free from this issue? (That would be great!)
Thanks for any information you can provide.