From 858a965314014cb3c3c81958784bb211bbb3051c Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Sat, 25 Nov 2023 13:49:33 +0100 Subject: [PATCH 1/5] Update for new rocky-release-security --- docs/index.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/docs/index.md b/docs/index.md index dbb209d..d1740b6 100644 --- a/docs/index.md +++ b/docs/index.md @@ -18,22 +18,18 @@ dnf install rocky-release-security Download the release package containing our repository configuration file and package signing public key. Use the version that corresponds to the major version of your EL distro. -- [rocky-release-security-9](https://download.rockylinux.org/pub/rocky/9/extras/x86_64/os/Packages/r/rocky-release-security-9-2.el9.noarch.rpm) -- [rocky-release-security-8](https://download.rockylinux.org/pub/rocky/8/extras/x86_64/os/Packages/r/rocky-release-security-8-2.el8.noarch.rpm) +- [rocky-release-security-9](https://download.rockylinux.org/pub/rocky/9/extras/x86_64/os/Packages/r/rocky-release-security-9-3.el9.noarch.rpm) +- [rocky-release-security-8](https://download.rockylinux.org/pub/rocky/8/extras/x86_64/os/Packages/r/rocky-release-security-8-3.el8.noarch.rpm) Verify the package file's SHA-256 digest with `sha256sum`. The currently expected digests are: ``` -8daf0934c8b5cfce1f5c2dc53ea0118102940bf307c7cc8863ab718696863da6 rocky-release-security-9-2.el9.noarch.rpm -15aebef7257d4ff3c59a3b4e45acf8fae9894a10ddd2c924dfd521033337e96c rocky-release-security-8-2.el8.noarch.rpm +0d0cfcb16379b4c374b45a7a4ec86894f5bbdd977103cc5544be0f6fc2581a2a rocky-release-security-9-3.el9.noarch.rpm +8dc7912f0ab55dff4cb2b1dc9262c22aa89d911cdb680d33213737597d865006 rocky-release-security-8-3.el8.noarch.rpm ``` This isn't as secure as checking the package signature would be _if_ you previously had our package signing public key, but on another distro you probably don't have that yet, so checking the digest against its copy obtained from this separate website is a best-effort measure. -Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to bypass the dependency check on our `rocky-release` package. In essense, you're manually confirming to `rpm` that you're installing on a compatible distro. - -You'll normally install packages from the mirrors, which should just work. However, if there's any issue with the mirrors and you uncomment our `baseurl` line instead, then on non-Rocky you'll need to use `DNF_VAR_sigcontentdir=/pub/sig dnf` in place of simply `dnf`. - ## Packages ### Extra packages (for EL8 and EL9) From 1e8dfe97bc8f1d60e97d3d3bea1259806c74bc7f Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Sat, 25 Nov 2023 13:53:01 +0100 Subject: [PATCH 2/5] openssh-8.7p1-34.el9_3.security.0.1 --- docs/packages/openssh.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/packages/openssh.md b/docs/packages/openssh.md index 33f5c30..1590e80 100644 --- a/docs/packages/openssh.md +++ b/docs/packages/openssh.md @@ -2,8 +2,8 @@ ## EL9 -- Version `8.7p1-30.el9_2.security.0.2` -- Based on `8.7p1-30.el9_2` +- Version `8.7p1-34.el9_3.security.0.1` +- Based on `8.7p1-34.el9` ### Changes summary @@ -12,6 +12,9 @@ ### Change log ``` +* Wed Nov 22 2023 Solar Designer 8.7p1-34.el9_3.security.0.1 +- Rebase 8.7p1-30.el9.security.0.2 on 8.7p1-34 + * Sat Oct 07 2023 Solar Designer 8.7p1-30.el9.security.0.2 - Load libsystemd.so.0, not libsystemd.so, as the latter is only provided by systemd-devel From c89ea05f8355ad11cc2e2eb8cb23b2acc018d76a Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Sat, 25 Nov 2023 14:01:32 +0100 Subject: [PATCH 3/5] glibc-2.34-83.7.el9_3.security.0.3 --- docs/packages/glibc.md | 33 ++++++++++----------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/docs/packages/glibc.md b/docs/packages/glibc.md index 78c1f77..5c15c8e 100644 --- a/docs/packages/glibc.md +++ b/docs/packages/glibc.md @@ -2,8 +2,8 @@ ## EL9 -- Version `2.34-60.7.el9_2.security.0.3` -- Based on `2.34-60.el9_2.7` +- Version `2.34-83.7.el9_3.security.0.3` +- Based on `2.34-83.el9.7` ### Changes summary @@ -16,36 +16,23 @@ #### Known-effective vulnerability mitigations and fixes -`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3`, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). +`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on. ### Change log ``` +* Wed Nov 22 2023 Solar Designer - 2.34-83.7.el9.security.0.3 +- Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's + (a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2) + +[... upstream changes ...] + * Fri Oct 6 2023 Solar Designer - 2.34-60.7.el9.security.0.3 - Rebase on 2.34-60.7, drop "our" CVE-2023-4527 patch in favor of RH's -* Mon Sep 25 2023 Florian Weimer - 2.34-60.7 -- Fix memory leak regression in getaddrinfo (RHEL-2425) - -* Tue Sep 19 2023 Carlos O'Donell - 2.34-60.6 -- CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-2999) - -* Tue Sep 19 2023 Carlos O'Donell - 2.34-60.5 -- Revert: Always call destructors in reverse constructor order (RHEL-3385) - -* Mon Sep 18 2023 Siddhesh Poyarekar - 2.34-60.4 -- CVE-2023-4806 glibc: potential use-after-free in getaddrinfo (RHEL-2425) - -* Fri Sep 15 2023 Siddhesh Poyarekar - 2.34-60.3 -- CVE-2023-4813: potential use-after-free in gaih_inet (RHEL-2437) - -* Fri Sep 15 2023 Carlos O'Donell - 2.34-60.2 -- CVE-2023-4527: Stack read overflow in getaddrinfo in no-aaaa mode (#2234715) - -* Wed Sep 13 2023 Florian Weimer - 2.34-60.1 -- Always call destructors in reverse constructor order (RHEL-3385) +[... upstream changes ...] * Mon Oct 2 2023 Solar Designer - 2.34-60.el9.security.0.2 - Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits From 45cd03115f5b06a75e22108042276a0717d42014 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Sat, 25 Nov 2023 14:08:18 +0100 Subject: [PATCH 4/5] LKRG rebuild for 9.3 and 8.9 --- docs/packages/lkrg.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/docs/packages/lkrg.md b/docs/packages/lkrg.md index d6774b0..7fc26e5 100644 --- a/docs/packages/lkrg.md +++ b/docs/packages/lkrg.md @@ -1,8 +1,13 @@ # Extra package: lkrg -## EL8 and EL9 +## EL9 -- Version `lkrg-0.9.7-4.el9_2.security` +- Version `0.9.7-4.el9_3.security` +- Based on upstream version `0.9.7` + +## EL8 + +- Version `0.9.7-4.el8_9.security` - Based on upstream version `0.9.7` ### Package summary @@ -13,7 +18,7 @@ More information is available on the [LKRG homepage](https://lkrg.org) and in th ### Usage in Rocky Linux -Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG works across different kernel revisions/builds within the same EL minor release (e.g., 9.2). Once there's a new minor release (e.g., 9.2 is upgraded to 9.3), we'll provide a new build of LKRG accordingly. +Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG works across different kernel revisions/builds within the same EL minor release (e.g., 9.3). Once there's a new minor release (e.g., 9.3 is upgraded to 9.4), we'll provide a new build of LKRG accordingly. Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use: @@ -29,10 +34,12 @@ systemctl enable lkrg ### Testing and recovery -Although the current package passed our own testing (on 8.8 and 9.2), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option. +Although the current package passed our own testing (on 9.3 and 8.9), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option. ### Change log +The 0.9.7-4 source package was originally built for (and tested on) 9.2 and 8.8, then rebuilt without source level changes for 9.3 and 8.9 (and re-tested on those versions). + ``` * Wed Nov 08 2023 Solar Designer 0.9.7-4 - Add a couple of upstream patches, most notably to fix kINT false positives on From 7afadb07a75f363ca01f83af750464470cbc1dd2 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Sat, 25 Nov 2023 14:15:40 +0100 Subject: [PATCH 5/5] Document libpasswdqc-devel --- docs/packages/passwdqc.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/packages/passwdqc.md b/docs/packages/passwdqc.md index ab5e7c6..cf59218 100644 --- a/docs/packages/passwdqc.md +++ b/docs/packages/passwdqc.md @@ -1,10 +1,15 @@ # Extra package: passwdqc -## EL8 and EL9 +## EL9 - Version `2.0.3-2.el9_2.security` - Based on upstream version `2.0.3-2` as packaged in Fedora +## EL8 + +- Version `2.0.3-2.el8.security` +- Based on upstream version `2.0.3-2` as packaged in Fedora + ### Package summary `passwdqc` is a password/passphrase strength checking and policy enforcement toolset, including a PAM module (`pam_passwdqc`), command-line programs (`pwqcheck`, `pwqfilter`, and `pwqgen`), and a library (`libpasswdqc`). @@ -13,7 +18,7 @@ More information is available on the [passwdqc homepage](https://www.openwall.co ### Usage in Rocky Linux -There are 4 sub-packages: +There are 5 sub-packages: #### pam_passwdqc @@ -31,6 +36,10 @@ The `pwqfilter` program searches, creates, or updates binary passphrase filter f `libpasswdqc` is the underlying library, which may also be used from third-party programs. +#### libpasswdqc-devel + +This package contains development files needed for building passwdqc-aware applications, as well as documentation (man pages) for developing such applications. + #### passwdqc -`passwdqc` is a meta sub-package that installs (via dependencies) all 3 actual sub-packages above. +`passwdqc` is a meta sub-package that installs (via dependencies) the actual sub-packages above, except for `libpasswdqc-devel`.