Rocky Linux Adds Security Repo for Urgent Fixes
Rocky Linux Adds Security Repo for Urgent Fixes
https://linuxiac.com/rocky-linux-adds-security-repo-for-urgent-fixes/
Publish Date: 2026-05-15 05:22:00
Source Domain: linuxiac.com
Rocky Linux has launched an optional Security Repository to provide urgent fixes in exceptional security cases before upstream Enterprise Linux packages are released.
The repository is intended for cases where a significant vulnerability is public, exploit code exists, and waiting for upstream packages would leave systems exposed. It is disabled by default, so standard update behavior remains unchanged unless accelerated security fixes are needed.
This approach is a limited exception to Rocky Linux’s upstream-compatible model. The repository is not intended as a general fast-track update channel or a replacement for the standard release process.
Packages from the Security Repository are versioned for automatic replacement by later upstream Enterprise Linux updates; they do not include traditional errata records and do not appear through dnf update –security as standard advisories.
Enabling the security repository in Rocky Linux
The first use case involved Dirty Frag, a set of Linux kernel local privilege escalation vulnerabilities. Dirty Frag included two CVEs: one affecting ESP and another affecting RxRPC through the kernel-modules-partner package. The initial Security Repository kernel included fixes for both.
Red Hat has since addressed the ESP vulnerability in its latest builds. Rocky’s second kernel release included this upstream fix and continued to address the RxRPC issue. However, Rocky is now dropping the RxRPC patch because Red Hat does not ship the affected kernel-modules-partner package to customers, and Rocky only includes it in its development repository without support guarantees.
Rocky Linux states the Security Repository functioned as intended by bridging the gap until an upstream fix was available, without maintaining an independent patch for a package not intended for production systems.
If Rocky provides a temporary fix and upstream does not address the issue, the next upstream kernel release may supersede…
