Is it really true that no RedHat fix exists for this High/Important 3-month old glib issue?

## Short version Red Hat Customer Portal lists [CVE-2021-27219](https://access.redhat.com/security/cve/cve-2021-27219) as having a 9.8 out of 10 RedHat CVSS score, that it was published February 4, 2021, more than 3 months ago and that it affects RHEL 8, the newest version. Is there really no fix for it out yet? ## Longer version If I read the above link correctly, the issue affects RHEL 6, 7 and 8 but no fix exists yet. (As opposed to e.g. [CVE-2021-3326](https://access.redhat.com/security/cve/CVE-2021-3326) where a fix was released yesterday). At the same time, Red Hat's [ubi8/ubi-minimal](https://catalog.redhat.com/software/containers/ubi8/ubi-minimal/5c359a62bed8bd75a2c3fba8) docker image, updated today shows: > Health Index "A"(green) (This image does not have any unapplied Critical or Important security updates.) When I upload that image to our [Harbor Registry](https://github.com/goharbor/harbor) , it scans the image and lists it as having CVE-2021-27219 unfixed. Digging into RedHat's own data, it looks like I have to agree with Harbor. But then I find it highly misleading for RedHat to list the image as having: Health Index "A". Sure there is no *unapplied* fix, because the fix doesn't exist yet, but how can an image be healthy with a 9.8 score unfixed security issue *for 3 months*? What am I misunderstanding?