From 51bbca3793ef5a4ac949adf560980c9aed9d4ed0 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Tue, 23 Apr 2024 15:21:32 +0200 Subject: [PATCH] issues/CVE-2024-2961.md: Add a mitigation --- docs/issues/CVE-2024-2961.md | 21 +++++++++++++++++++++ docs/news.md | 6 +++--- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/docs/issues/CVE-2024-2961.md b/docs/issues/CVE-2024-2961.md index bda23b3..e6c3118 100644 --- a/docs/issues/CVE-2024-2961.md +++ b/docs/issues/CVE-2024-2961.md @@ -23,3 +23,24 @@ Fixed in version: `2.34-83.12.el9_3.security.0.5` available April 18, 2024 ## EL8 Affected. We will of course rebuild upstream's fix as soon as it arrives. + +## Mitigation + +Support for the ISO-2022-CN-EXT character set can be excluded from glibc's iconv(3) by editing `/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf` to comment out the below 3 lines at line 1254 (same line number in EL9 and EL8) and then regenerating the cache file: + +``` +alias ISO2022CNEXT// ISO-2022-CN-EXT// +module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1 +module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT 1 +``` + +These two steps can be accomplished by running the below commands as root: + +``` +sed -i -r 's/^(.*ISO-2022-CN-EXT.*)$/#\1/' /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf +iconvconfig +``` + +To make sure this has worked as intended, we also recommend that you run `iconv -l | grep ISO-2022-CN-EXT` before and after the above procedure. It should list the ISO-2022-CN-EXT character set before the procedure, but produce empty output afterwards. + +Finally, if you have long-running processes for which the bug matters (such as PHP-FPM), you'll need to restart those. diff --git a/docs/news.md b/docs/news.md index 6da0060..474b67c 100644 --- a/docs/news.md +++ b/docs/news.md @@ -2,10 +2,10 @@ These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. -## April 18, 2024 +## April 18-23, 2024 -Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md), -which we now have a status page on. +Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md). +On that CVE status page, we also provide a mitigation for both EL9 and EL8. The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.