I know there was a previous thread on this topic a few months ago, however there does not seem to be any updates available right now.
Unfortunately we are currently blocked from using this OS version at this time because it contains critical vulnerabilities and there is a fix available.
What’s the timeline to get an updated package version ?
shim-x64-15.8-2 is the correct version for our distribution. This not only addresses vulnerabilities, but it also introduces secure boot on ARM, which our upstream (as far as I know) does not have at this time.
Is this coming from a vulnerability scanner of some sort? If so, please work with their customer support to report it as a false positive. We also encourage companies who design said software to reach out and work with us on issues like these.
Note: We had a bug report opened up about this before. The reasoning for the difference is also explained there.
Is this coming from a vulnerability scanner of some sort? If so, please work with their customer support to report it as a false positive. We also encourage companies who design said software to reach out and work with us on issues like these.
@nazunalika we are hitting an issue with this as well. We have our own scanner which uses OVAL data published by Red Hat, which we adjust to work with rocky packages. It works well, apart from this case where Rocky and RHEL have drifted in terms of patched package versions.
We did try to migrate to the Rocky OVAL data, however we hit 2 basic bugs with it, which make it unusable. I have raised 2 issues with PRs 3 months ago, but have heard nothing: