In an unexpected and surprising move, contrary to what Red Hat has been saying lately to the community about CentOS Stream collaboration and rebuilders, Red Hat will reject patches to CVE issues, developed by downstream contributors, in CentOS Stream citing "no customer demand".
Link to CentOS Stream Gitlab of the AlmaLinux CVE patch commit: https://gitlab.com/redhat/centos-stream/rpms/iperf3/-/merge_requests/5
Discussion going on Reddit: https://www.reddit.com/r/AlmaLinux/comments/1544w8b/red_hat_refuses_almas_cve_patches_to_centos/
This is what the initial response said:
> Thanks for the contribution. At this time we don't plan to address this in RHEL but we will keep it open for evaluation based on customer feedback.
Carl George followed up on /r/almalinux with this:
> The request is still open and has not been rejected. The CVE hasn't even gotten a severity rating yet. So maybe tap the breaks and see how it plays out. Just like in any other open source project, asking for contributions does not automatically guarantee that every contribution will be merged.
It is entirely possible that this will end up being merged within a week if it is judged a serious security issue, but until then it's just "a CVE that someone filed", which doesn't necessarily mean much.
Disclosure: I work for Red Hat.