Stream: troubleshooting

Topic: Question about Rocky Linux 8 vulnerabilities

view this post on Zulip Deirdre Kirmis (Feb 10 2026 at 00:38):

Hi All .. for anyone running Rocky Linux 8 .. we keep getting notifications from our scanner that we have CVE vulnerabilities for things that have long been patched. Is anyone else seeing this just from Rocky Linux? We are running the subscription from AWS and patch monthly, and run security patches every other 2 weeks. If I search the RPM log I can see "resolved" for each of the specified vulns. I believe the scanners likely just look at the package version and aren't able to see backport patches, but is there any way to send that info to the scanner, or at least keep the scanner from seeing the package version? How do other orgs handle this? Are you upgrading to Rocky 9?

view this post on Zulip Deirdre Kirmis (Feb 10 2026 at 01:17):

In researching this I see that Rocky/RHEL backport fixes without changing upstream versions, whereas Ubuntu increments package versions when fixing CVEs .. most of our systems are Ubuntu, so we don't have this happen with any of our other systems .. I want to keep with the recommended OS so just wondering if anyone comes across this and how do you manage it? (ie: just submit false positives with justification)?

view this post on Zulip Deirdre Kirmis (Feb 10 2026 at 02:07):

and answering my own question .. sometimes you can configure the scanner to use vendor advisories instead of package versions

view this post on Zulip Philip Durbin 🚀 (Feb 10 2026 at 14:49):

My expertise is seriously out-of-date, having not used security scanning tools in probably 15 years, but, yes, I feel like back then anyway some tools would only look at version numbers. A vendor like Red Hat would backport fixes but the scanning tool sometimes couldn't tell.

view this post on Zulip Deirdre Kirmis (Feb 10 2026 at 15:20):

Yea i found this: https://access.redhat.com/security/updates/backporting
.. which I think explains it, and Ubuntu does increment the version of the package so we don't get these false positive security notices from those systems .. but just curious if others doing scanning just submit justifications continuously for these? I guess there is a way to configure the scanner to look at advisories on the system instead of package versions but our SOC team would have to be aware and do that, as they control the scanner. I likely should look into migrating to Ubuntu but really want to stay with the supported OS. Anyway, thanks for the input.

Last updated: Apr 03 2026 at 06:08 UTC