Does anyone know the patch schedule for the following recently-released rsync vulns?
https://access.redhat.com/security/cve/cve-2024-12085
https://access.redhat.com/security/cve/CVE-2024-12087
https://access.redhat.com/security/cve/CVE-2024-12088
https://access.redhat.com/security/cve/CVE-2024-12747
Much obilged.
-jm
When Red Hat provides the fixes for RHEL8 and RHEL9, it will then appear in Rocky 8 and Rocky 9. Rocky is based on RHEL, so we will have it when they have it. I have seen some rsync updates being pushed, and the usual patch schedule for Rocky once RHEL releases is 1-2 days. More info here: Rocky Linux Release and Version Guide - Rocky Linux Wiki
Fixes for CVE-2024-12085 are available now in Rocky 8.10 and 9.5.
In 8.10, rsync-3.1.3-20.el8_10 has the fix and in 9.5, rsync-3.2.3-20.el9_5.1 has the fix.
For the other CVEs, it looks like Red Hat is still reviewing the patches. It seems that some of them have caused regressions upstream, and the vulnerability scores are lower, so this is probably a wise call.
@jmcnally you can look at the changelog from installed package. For example:
rpm -q --changelog rsync | less