I have a question about the recent serious CVE-2023-4911 and whether it applies to Rocky 8.8.
When I click on the respective RHEL page for this CVE (cve-details), it says that it affects “Red Hat Enterprise 8”. Under “Statement”, it says:
This vulnerability was introduced in glibc 2.34 in commit 2ed18c. The commit that introduced the vulnerability was backported to RHEL-8.6 and is affected.
I (may incorrectly) take this to believe that the vulnerability exists in RHEL 8.6. However, wouldn’t anything in 8.6 also impact 8.7 and 8.8 unless previously patched? And how could it have been previously patched if the vulnerability was just announced?
If I go further and look at this more detailed Red Hat errata (https://access.redhat.com/errata/RHSA-2023:5455) it says that the updated version of glibc is, for example, glibc-2.28-225.el8_8.6.x86_64.rpm, but the glibc-2.28-255 version is already what was already applied to Rocky 8.8 many months ago! Does this mean that 8.8 is free from this issue? (That would be great!)
The vulnerability was introduced in and has existed since 8.6. This means that it was not patched in 8.6 nor in 8.7. This means all versions starting from 8.6 are affected. If the vulnerability was patched in 8.6, 8.7 and 8.8 would not be affected. However, this is not the case.
That is incorrect. glibc-2.28-255.el8 and glibc-2.28-225.el8_8.6 are different versions of the package, the latter being newer.
Thanks, guys.
I incorrectly assumed that glibc-2.28-225.el8_8.6 was a version of the patch for just 8.6.
So the issue is that we just need to wait for the update to the repositories for Rocky, right? Because my mirror still doesn’t have it under 8.8/BaseOS/x86_64/os/Packages/g/