Rocky Errata Missing CVE Information #73
Description
Problem Statement
Currently, Apollo clones Red Hat advisories by matching RPM NEVRA strings, under the assumption that Rocky Linux will build every version of every Red Hat RPM. In practice, this is not always feasible—some Red Hat packages are not built or available in Rocky repositories. As a result, certain Red Hat advisories and their associated CVE fixes are missing from the Rocky Errata, leading to incomplete vulnerability and fix representation for Rocky Linux users.
Proposed Solution
We need to design and implement a mechanism to ensure that all addressed CVEs—even those tied to advisories for packages not present in Rocky Linux—are incorporated and surfaced in Rocky’s errata data. This will provide users with a more accurate overview of available security fixes and advisories, regardless of package matching limitations.
Impact
Improving this process will enhance transparency and completeness in security reporting for Rocky Linux, equipping users with a more comprehensive understanding of CVE remediation status.