• Laser@feddit.de
    link
    fedilink
    arrow-up
    19
    ·
    1 year ago

    An interesting fact about the affected versions: It was introduced in 2.34, so there was a comment on hackernews that Red Hat 8 isn’t affected because it ships with an earlier version. However, from Red Hat’s customer Portal:

    Statement

    This vulnerability was introduced in glibc 2.34 in commit 2ed18c. The commit that introduced the vulnerability was backported to RHEL-8.6 and is affected.

    So just checking version numbers for vulnerabilities isn’t really enough. I had a similar discussion at work lately where a CVE fix was listed in a stable kernel’s changelog even though going by the vulnerable versions listed in the CVE itself, that kernel wasn’t affected.

    • loki@lemmy.ml
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      So if RHEL is affected, it means Rocky and AlmaLinux is too.