Merge pull request 'issues/CVE-2024-2961.md: Add a mitigation' (#31) from solardiz-patch-29 into main

Reviewed-on: security/wiki#31
Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
Neil Hanlon 2024-04-23 13:31:02 +00:00
commit 41e67d41fa
2 changed files with 24 additions and 3 deletions

View File

@ -23,3 +23,24 @@ Fixed in version: `2.34-83.12.el9_3.security.0.5` available April 18, 2024
## EL8 ## EL8
Affected. We will of course rebuild upstream's fix as soon as it arrives. Affected. We will of course rebuild upstream's fix as soon as it arrives.
## Mitigation
Support for the ISO-2022-CN-EXT character set can be excluded from glibc's iconv(3) by editing `/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf` to comment out the below 3 lines at line 1254 (same line number in EL9 and EL8) and then regenerating the cache file:
```
alias ISO2022CNEXT// ISO-2022-CN-EXT//
module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1
module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT 1
```
These two steps can be accomplished by running the below commands as root:
```
sed -i -r 's/^(.*ISO-2022-CN-EXT.*)$/#\1/' /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
iconvconfig
```
To make sure this has worked as intended, we also recommend that you run `iconv -l | grep ISO-2022-CN-EXT` before and after the above procedure. It should list the ISO-2022-CN-EXT character set before the procedure, but produce empty output afterwards.
Finally, if you have long-running processes for which the bug matters (such as PHP-FPM), you'll need to restart those.

View File

@ -2,10 +2,10 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## April 18, 2024 ## April 18-23, 2024
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md), Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md).
which we now have a status page on. On that CVE status page, we also provide a mitigation for both EL9 and EL8.
The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG. The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.