For rocky linux 8, there seem to be a number of missing or very late errata. Examples: RHSA-2022:4776 released 2022-05-27, RLSA-2022:4776 released 2022-07-07. RHSA-2022:0818 released 2022-03-10, no corresponding RLSA AFAICT.
Am I misunderstanding - is there some perfectly good explanation for such delayed or missing advisories or is this just a reflection of kinks still being worked out in the errata notification system? Any ETAs on a new system?
Rocky Linux 9 errata is in the works and is mostly ready, but not fully completed. It has to be fully brought into peridot (our build system) so updateinfo can be merged into the repositories via yumrepofs. @mustafa would be able to provide more information about this.
Firefox 91.1 has long been superseded. Even so, the errata is there. 2022:0818 was during the 8.5 release cycle and not available in the repo metadata as that firefox package was not shipped at 8.6’s release. Using the 2022:4776 example, this is straight from the updateinfo file in the repo metadata.
<update from="releng@rockylinux.org" status="final" type="security" version="2">
<id>RLSA-2022:4776</id>
<title>Critical: firefox security update</title>
<issued date="2022-05-27 00:00:00"></issued>
<updated date="2022-05-27 00:00:00"></updated>
<rights>Copyright (C) 2022 Rocky Enterprise Software Foundation</rights>
<release>Rocky Linux 8</release>
<pushcount>1</pushcount>
<severity>SEVERITY_CRITICAL</severity>
<summary>An update for firefox is now available for Rocky Linux 8.
Rocky Enterprise Software Foundation Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.</summary>
<description>Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.
This update upgrades Firefox to version 91.9.1 ESR.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.</description>
<references>
<reference href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1529.json" id="CVE-2022-1529" type="cve" title="Update information for CVE-2022-1529 is retrieved from Red Hat"></reference>
<reference href="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1802.json" id="CVE-2022-1802" type="cve" title="Update information for CVE-2022-1802 is retrieved from Red Hat"></reference>
</references>
<pkglist>
<collection short="RL8">
<name>Rocky Linux 8</name>
<package name="firefox" version="91.9.1" release="1.el8_6" epoch="0" arch="x86_64" src="firefox-91.9.1-1.el8_6.src.rpm">
<filename>firefox-91.9.1-1.el8_6.x86_64.rpm</filename>
<reboot_suggested></reboot_suggested>
<sum type="sha256">a622ecb5bdd7309923b929740e63371d8d1b64f93b4107eda1098bda35dba50f</sum>
</package>
</collection>
</pkglist>
</update>