Rocky 8.10’s ghostscript-9.27-17.el8_10 remains vulnerable to CVE-2025-27837 (path traversal in gp_mswin.c), affecting PDF generation in Plesk/Magento/SuiteCRM stacks. Upstream fix requires 10.05.0+; EL8 backport or major bump needed for security. Recent RLSAs patched other CVEs but missed this—requesting SIG/Core prioritization.
cve-details says:
| Product | Component | State | Reason |
|---|---|---|---|
| RHEL 8 | ghostscript | Not affected | Vulnerable Code not in Execute Path |
Rocky has what RHEL has. Therefore, Rocky 8 should not be vulnerable.
Can you prove that the vulnerability is real in Rocky?
Most likely the usual vulnerability scanner going only by version number alone and making assumptions and thus false positive. More on that here on the Rocky website: CVE hygiene - Documentation and how to actually verify whether it’s the case or not.