Thanks for outstanding support to users on various issues through this Alma Linux community open forum. We sincerely appreciate your kind support and committed efforts on the same.
We started working on a new release in our product in July’2022 and planning to get it CCO by Jan’2023. At the start of development phase, we had AlmaLinux 8.6 as the latest, stable OS available, and we upgraded our underlying OS from Alma Linux 8.5 to 8.6.
Recently we ran security scan (tenable / nessus scan) in our new Alma Linux 8.6 and found below vulnerabilities, divided into 2 groups.
Group 1:
Medium 166675 AlmaLinux 8 : kernel (ALSA-2022:7110)
High 166508 AlmaLinux 8 : zlib (ALSA-2022:7106)
High 166524 AlmaLinux 8 : device-mapper-multipath (ALSA-2022:7192)
High 166462 AlmaLinux 8 : libksba (ALSA-2022:7089)
Medium 166505 AlmaLinux 8 : samba (ALSA-2022:7111)
Medium 166673 AlmaLinux 8 : sqlite (ALSA-2022:7108)
Medium 166509 AlmaLinux 8 : gnutls (ALSA-2022:7105)
Group 2:
High 167303 AlmaLinux 8 : freetype (ALSA-2022:7745)
High 167442 AlmaLinux 8 : rsync (ALSA-2022:7793)
High 167444 AlmaLinux 8 : httpd:2.4 (ALSA-2022:7647)
High 167447 AlmaLinux 8 : kernel (ALSA-2022:7683)
Medium 167438 AlmaLinux 8 : pcs (ALSA-2022:7447)
High 167313 AlmaLinux 8 : qt5 (ALSA-2022:7482)
High 167440 AlmaLinux 8 : gdisk (ALSA-2022:7700)
Medium 167316 AlmaLinux 8 : unbound (ALSA-2022:7622)
Medium 167306 AlmaLinux 8 : bind (ALSA-2022:7790)
Medium 167292 AlmaLinux 8 : libxml2 (ALSA-2022:7715)
Medium 167315 AlmaLinux 8 : yajl (ALSA-2022:7524)
Medium 167445 AlmaLinux 8 : e2fsprogs (ALSA-2022:7720)
Medium 167459 AlmaLinux 8 : libldb (ALSA-2022:7730)
Medium 167307 AlmaLinux 8 : grafana (ALSA-2022:7519)
Medium 167294 AlmaLinux 8 : grafana-pcp (ALSA-2022:7648)
Of these, we have fix for Group 1 vulnerabilities on Alma Linux 8.6.
However, we don’t have fix currently available for Group2 vulnerabilities in Alma Linux 8.6
As it is too late for us to to perform another OS upgrade (from 8.6 to 8.7) and given that stable alam 8.6 is released only around 2 weeks back, we need your kind support to release these vulnerability fixes in AlmaLinux 8.6 as well.
Kindly help/support as this a show stopper for our release.
Does that mean Alma Linux 8.6 is End of Support / End of Life ?
Kindly consider our situation, where we don’t have Alma Linux 8.7 option during our development phase in Aug’2022 and now that 8.7 has been just released couple of weeks back, it is too tough for us to go for OS upgrade one month before our release.
Red Hat has RHEL 8. About every six months they release new “point release” that has some new features. Between point releases they release bug and vulnerability fixes for current point release.
Overall, the idea is that a RHEL major release can be used its entire lifetime (a decade) without significant changes to user services (that run with applications in RHEL). The feature updates ought to have minimal changes.
Red Hat does release sources for updates mentioned above. AlmaLinux rebuilds packages from those released sources.
See Red Hat Enterprise Linux Life Cycle - Red Hat Customer Portal
It does show that Red Hat does release bug and vulnerability fixes for RHEL 8.6 after RHEL 8.7 was released, but those are EUS (Extended Update Support) and Updates for SAP Solutions.
Red Hat does not release sources of EUS (US for SAP) packages.
The only way to access those is to purchase RHEL 8.6 EUS subscription.
There are no publicly available sources for “new” EL 8.6 content since release of EL 8.7
=> AlmaLinux (nor anyone else) cannot build packages for EL 8.6
If your product works only on RHEL 8.6, then only customers with RHEL 8.6 EUS subscription can use it now.
If your product is so tightly coupled to specific version of binaries that you cannot simply rebuild it against newer version of Enterprise Linux 8 libraries, then it is terribly fragile. Furthermore, product for 8.6 ought to have been released right after 8.6 was released and one should now have product for 8.7 ready for release.
you can of course just install security updates without moving to a whole new minor version release - you will essentially get the patches from 8.7 but it won’t become 8.7 (no new features or updated release file).
dnf updateinfo list cves
dnf updateinfo list security
dnf updateinfo info security
dnf upgrade --security
dnf upgrade --advisory=ALSA-2022:7745
i know oracle has recently started recommending that you don’t just apply security patches as it can trigger dependency hell.
only supporting a specific point release is nonsense really as its not like you’re testing your software against every patch between 8.6 and 8.7, plus if you have a functional bug, the first thing you’ll have to do is install the latest patches to see if its already fixed that way.
That debatable. Among the affected packages were kernel and qt. If you update those, then you will get both fixes and new features. We do know from all the 8.6/8.7 KDE-discussions that update of qt requires rebuild of every binary that depends on qt.
That is, if you wan’t only security fixes, then you should get sources of 8.6 packages, backport fixes to them, and rebuild (just like Red Hat does for EUS customers). However, then you have a system that nobody else in the world has.
We are upgrading Alma Linux 8.6 currently being used in our product to
Alma Linux 8.7 as part of our upcoming release targeted in August’2023.
Kindly let know if Alma Linux 8.7 will be active and if we can get all RPMs on 8.7 until this period (Aug’2023) (or) other words, what is the planned EOL date for Alma Linux 8.7.
“Version 8 will have active support until 01 May 2024, and security support until 01 Mar 2029.”
but that’s not to say 8.7, as 8.8 will be out around May 2023. you should be able to get the packages for 8.7 still (like you can get 8.6 packages still now) but i guess they won’t be updated. might be worth you making a local mirror of the repo’s.
if you must stay on a specific minor version or get security patches past EOL then you’ll probably want commercial support like TuxCare
AlmaLinux 8.7 EOL is at the moment AlmaLinux 8.8 is GA. Probably May 2023.
In practice, the very last packages for 8.7 are released before RHEL 8.8. is GA.
Therefore, in August 2023 RHEL 8 users (and derived distros, like AlmaLinux 8) will have 8.8.
The only exception being RHEL 8 users that pay for RHEL 8.7 EUS subscription.
Older point releases of AlmaLinux become end of life whenever a newer release comes out. This happens twice a year. Even if you base your product on 8.7 now, it will EOL as soon as 8.8 is out. This is the same way CentOS Linux used to handle this scenario.
But this is not at all bad. As soon as you pull down updates you will be automatically upgraded. There should not be any major or breaking changes between the minor versions, so your product should be safe.
