Customer checks rsync CVE fix on their server using the following command:

$ rpm -qi --changelog rsync

But they didn't find 'CVE-2024-12085' flag after 'rsync-3.1.3-20.el8_10' installed.

I checked the changelog then found this 'Info Leak' was fixed in RHEL-70157:

~~~
$ rpm -qi --changelog rsync-3.1.3-20.el8_10.x86_64.rpm
Name : rsync
Version : 3.1.3
Release : 20.el8_10
Architecture: x86_64
Install Date: (not installed)
Group : Applications/Internet
Size : 844382
License : GPLv3+
Signature : RSA/SHA256, Mon Jan 13 06:46:45 2025, Key ID 199e2f91fd431d51
Source RPM : rsync-3.1.3-20.el8_10.src.rpm
Build Date : Fri Jan 3 09:29:08 2025
Build Host : x86-037.brew-001.prod.iad2.dc.redhat.com
Relocations : (not relocatable)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor : Red Hat, Inc.
URL : http://rsync.samba.org/
Summary : A program for synchronizing files over a network
Description :
Rsync uses a reliable algorithm to bring remote and host files into
sync very quickly. Rsync is fast because it just sends the differences
in the files over the network instead of sending the complete
files. Rsync is often used as a very powerful mirroring process or
just as a more capable replacement for the rcp command. A technical
report which describes the rsync algorithm is included in this
package.

• Fri Jan 03 2025 Michal Ruprich <mruprich@redhat.com> - 3.1.3-20

• Resolves: RHEL-70157 - Info Leak via Uninitialized Stack Contents <=========

• Wed Nov 02 2022 Michal Ruprich <mruprich@redhat.com> - 3.1.3-19.1

• Resolves: #2139118 - rsync-daemon fail on 3.1.3
  ~~~

Customer wants Red Hat could also list the fixed CVE number in rpm changelog, not only the Red Hat internal JIRA number, then they could confirm the CVE has been fixed via rpm command in automatic tools.