Shim15.8 RPM availability for Rocky Linux 9 to fix CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551

I know there was a previous thread on this topic a few months ago, however there does not seem to be any updates available right now.
Unfortunately we are currently blocked from using this OS version at this time because it contains critical vulnerabilities and there is a fix available.
What’s the timeline to get an updated package version ?

Rocky’s shim-15.8 was released back in April for EL8 and EL9 which addressed all of these.

This was co-incident with refreshing our signing certificate – Secure Boot Key Refresh - 2024 - Rocky Linux

ok. With the latest Rocky Linux 9.4 AMI in AWS, when I run dnf upgrade there are no updated packages for shim-x64

# cat /etc/rocky-release
Rocky Linux release 9.4 (Blue Onyx)

And the currently installed packages, after a dnf upgrade

# rpm -qa | grep shim-x64
shim-x64-15.8-2.el9.x86_64

In fact, I am expecting another release, like shim-x64-15.8-4.el9_4 or something around those lines

Is the updated package. It was released in April and addressed those CVE’s

shim-x64-15.8-2 is the correct version for our distribution. This not only addresses vulnerabilities, but it also introduces secure boot on ARM, which our upstream (as far as I know) does not have at this time.

Is this coming from a vulnerability scanner of some sort? If so, please work with their customer support to report it as a false positive. We also encourage companies who design said software to reach out and work with us on issues like these.


Note: We had a bug report opened up about this before. The reasoning for the difference is also explained there.

1 Like

Is this coming from a vulnerability scanner of some sort? If so, please work with their customer support to report it as a false positive. We also encourage companies who design said software to reach out and work with us on issues like these.

@nazunalika we are hitting an issue with this as well. We have our own scanner which uses OVAL data published by Red Hat, which we adjust to work with rocky packages. It works well, apart from this case where Rocky and RHEL have drifted in terms of patched package versions.

We did try to migrate to the Rocky OVAL data, however we hit 2 basic bugs with it, which make it unusable. I have raised 2 issues with PRs 3 months ago, but have heard nothing: