An interesting fact about the affected versions: It was introduced in 2.34, so there was a comment on hackernews that Red Hat 8 isn’t affected because it ships with an earlier version. However, from Red Hat’s customer Portal:
Statement
This vulnerability was introduced in glibc 2.34 in commit 2ed18c. The commit that introduced the vulnerability was backported to RHEL-8.6 and is affected.
So just checking version numbers for vulnerabilities isn’t really enough. I had a similar discussion at work lately where a CVE fix was listed in a stable kernel’s changelog even though going by the vulnerable versions listed in the CVE itself, that kernel wasn’t affected.
An interesting fact about the affected versions: It was introduced in 2.34, so there was a comment on hackernews that Red Hat 8 isn’t affected because it ships with an earlier version. However, from Red Hat’s customer Portal:
So just checking version numbers for vulnerabilities isn’t really enough. I had a similar discussion at work lately where a CVE fix was listed in a stable kernel’s changelog even though going by the vulnerable versions listed in the CVE itself, that kernel wasn’t affected.
So if RHEL is affected, it means Rocky and AlmaLinux is too.