Rachel RawlingsJul 19, 2023

#RedHat has declined to address #CVE202338403 (iperf3 integer overflow and heap corruption) in #RHEL for which an upstream patch has already been submitted.

"We commit to addressing Red Hat defined Critical and Important security issues. Security vulnerabilities with Low or Moderate severity will be addressed on demand when customer or other business requirements exist to do so." is a response indicative of corporate #Linux #enshittification.

https://gitlab.com/redhat/centos-stream/rpms/iperf3/-/merge_requests/5#note_1476867836

NIST hasn't yet scored it, but Debian calls is "serious". https://nvd.nist.gov/vuln/detail/CVE-2023-38403

Fixes CVE-2023-38403 - Resolves: rhbz#2223729 (!5) · Merge requests · Red Hat / centos-stream / rpms / iperf3 · GitLab

Summary of Changes Fixes CVE-2023-38403 Approved Development Ticket

GitLab
Show threadTony Agudo ✅

@linuxandyarn I think the Red Hat guy is saying "Until this vulnerability directly hits a customer, we'll keep this patch in our back pocket." Not a good look there.

I agree with Debian that it's a serious vuln whose patch should be applied well before an incident occurs. But I'll bet AlmaLinux and Oracle Linux will deploy it soon.

Jul 19, 2023 at 10:01pmWeb