forked from security/wiki
Merge pull request 'Add "Known-effective vulnerability mitigations and fixes"' (#3) from solardiz-patch-2 into main
Reviewed-on: security/wiki#3 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
commit
35eb728336
@ -21,13 +21,18 @@ dnf install rocky-release-security
|
|||||||
|
|
||||||
### Override packages (currently only for EL9)
|
### Override packages (currently only for EL9)
|
||||||
|
|
||||||
- glibc (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package, fixes [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1))
|
- glibc (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package)
|
||||||
- openssh (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)
|
- openssh (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)
|
||||||
|
|
||||||
The changes are described in more detail in the package changelogs.
|
The changes are described in more detail in the package changelogs.
|
||||||
The inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.
|
|
||||||
More packages/changes are planned, including override packages also for EL8.
|
More packages/changes are planned, including override packages also for EL8.
|
||||||
|
|
||||||
|
#### Known-effective vulnerability mitigations and fixes
|
||||||
|
|
||||||
|
`glibc-2.34-60.el9_2.security.0.2` (specifically the `.0.2` version!) includes mitigations sufficient to avoid security exposure of [CVE-2023-4911](https://www.openwall.com/lists/oss-security/2023/10/03/2) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL.
|
||||||
|
|
||||||
|
The inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.
|
||||||
|
|
||||||
## Source code
|
## Source code
|
||||||
|
|
||||||
Just like for other Rocky Linux SIGs, the source trees for Security SIG packages are maintained in [per-package git repositories](https://git.rockylinux.org/sig/security/src). Each repository contains branches `r8` and/or `r9` corresponding to target EL version.
|
Just like for other Rocky Linux SIGs, the source trees for Security SIG packages are maintained in [per-package git repositories](https://git.rockylinux.org/sig/security/src). Each repository contains branches `r8` and/or `r9` corresponding to target EL version.
|
||||||
|
Loading…
Reference in New Issue
Block a user