Rocky 8.10’s ghostscript-9.27-17.el8_10 remains vulnerable to CVE-2025-27837 (path traversal in gp_mswin.c), affecting PDF generation in Plesk/Magento/SuiteCRM stacks. Upstream fix requires 10.05.0+; EL8 backport or major bump needed for security. Recent RLSAs patched other CVEs but missed this—requesting SIG/Core prioritization.
cve-details says:
| Product | Component | State | Reason |
|---|---|---|---|
| RHEL 8 | ghostscript | Not affected | Vulnerable Code not in Execute Path |
Rocky has what RHEL has. Therefore, Rocky 8 should not be vulnerable.
Can you prove that the vulnerability is real in Rocky?
1 Like
Most likely the usual vulnerability scanner going only by version number alone and making assumptions and thus false positive. More on that here on the Rocky website: CVE hygiene - Documentation and how to actually verify whether it’s the case or not.
1 Like