Faille cve-2023-0266: constraints imposed on the business in production on AlmaLinux

Hello,

In the framework of the patching of my machines of the fault cve-2023-0266, this one obliges to migrate the kernel in AlmaLinux 8.7 whereas redhat proposes a patch in el8.6, why?

That poses a sacred constraint on business servers in production I find.

For a cve flaw that does not touch the kernel it’s ok but for this one I don’t understand the choice of Alma

thanks for your feedback.

Red Hat describes that CVE in https://access.redhat.com/security/cve/cve-2023-0266
It shows errata for RHEL 8 kernel dated 2023-04-04: https://access.redhat.com/errata/RHSA-2023:1566
The build date of AlmaLinux 8 kernel-4.18.0-425.19.2.el8_7.x86_64 is 2023-04-04.
Changelog of kernel includes:

- ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF (Jaroslav Kysela) [2163400 2163401] {CVE-2023-0266}

Alma has released patched kernel ASAP after Red Hat made the sources available. What is wrong in that?


Red Hat did release on 2023-04-04 similar erratas for their non-public RHEL branches, like RHEL 8.4 EUS and RHEL 8.6 EUS. They did not release anything for “RHEL 8.6”, because that did end on release of RHEL 8.7. Is that a cause of confusion?

1 Like