Best Practice, always check Red Hat CVE database. Example: CVE-2024-3094 (or other CVEs)
CVE-2024-3094 is not an issue for RHEL 6 through 9
Hint:
- Go to https://access.redhat.com
- Click on "Security" at top
- Click on "Red Hat CVE Database"
- Type the entire CVE into the input box such as "CVE-2024-3094" (without the quotes)
- Hit "Go"
The Red Hat CVE response will come up. In this example, it is:
https://access.redhat.com/security/cve/cve-2024-3094.
IMPORTANT NOTE ON BACKPORTING
Rabidly installing non-Red-Hat editions of an RPM to mitigate a falsely-perceived vulnerability is a very bad practice due to "Backporting"
Quote from Red Hat Backporting article
Backporting has a number of advantages for customers, but it can
create confusion when it is not understood. Customers need to be
aware that just looking at the version number of a package will not
tell them if they are vulnerable or not. For example, stories in the
press may include phrases such as "upgrade to Apache httpd 2.0.43
to fix the issue," which only takes into account the upstream
version number. This can cause confusion as even after installing
updated packages from a vendor, it is not likely customers will have
the latest upstream version. They will instead have an older
upstream version with backported patches applied.
Also, some security scanning and auditing tools make decisions
about vulnerabilities based solely on the version number of
components they find. This results in false positives as the tools do
not take into account backported security fixes.
Bottom Line, please consult Red Hat CVE responses when making response decisions to vulnerabilities you are researching to get valid information and to save you and your organization from incurring more vulnerabilities.
Regards,
RJ