Howdy,
We are running Rocky 8.8 and are fully patched with no security updates available. We use the Qualys Agent plugin for tracking software vulnerabilities and it’s reporting the following:
I’m curious to know if this was patched in the version of 3.26.0-18 we have running? I’m unable to find any specific information regarding this vulnerability.
Thanks in advance,
K Hanson, MSU Research Cyberinfrastructure
When you have CVE number, you can seek from Red Hat’s pages.
The above CVE-2020-15358 has page: cve-details
It does show that RHEL 8 was vulnerable, but a fix was released in May 2021.
Details of the Security Advisory https://access.redhat.com/errata/RHSA-2021:1581 do show that fix was in package sqlite-3.26.0-13.el8. What RHEL 8 (and Rocky 8 do have now is probably more recent than that.)
You can look at changelog of a package. For example:
rpm -q --changelog sqlite | grep -iE "3.26.0-13|cve-2020-15358"
If you find that the sqlite is already a fixed version (which is likely), then you have to decide what to do with “security scanner” that does not actually test whether your system is vulnerable.
I appreciate the rapid response! We’ve been finding the Qualys rules are pretty generic and in several instances they flag software pkgs generically by release number.
Thank you!
Kenny