The developers of the Rocky Linux distribution announced the creation of a separate repository for unscheduled publication of urgent package updates that eliminate vulnerabilities, not synchronized with the Red Hat Enterprise Linux repositories. It is noted that the Rocky Linux project adheres to the principle of being as close as possible to the RHEL package base, while recent security threats force us to make an exception.
In the repository “security” only emergency updates will be published, generated when information about critical vulnerabilities is disclosed without prior notice and there is a working exploit, but RHEL developers did not have time to create updates with fixes. A similar situation was observed with the Copy Fail, Dirty Frag, and Fragnesia vulnerabilities.
Thanks to the “security” repository, the Rocky Linux project will be able to quickly publish updates on its own, without waiting for Red Hat to do so. Once a fix is released from RHEL, the package published for RHEL will replace the package containing the fix from Rocky Linux. By default, the “security” repository is disabled and requires the command “sudo dnf –enablerepo=security update” to be activated.
Meanwhile, the Alma Linux distribution, without waiting for RHEL, published package updates to quickly eliminate vulnerabilities ssh-keysign-pwn, NGINX Rift, Fragnesia, Dirty Frag, and Copy Fail. Initially, packages were placed in the test repository “almalinux-testing”, and then transferred to the main one.