Updates for EL 9.5

This commit is contained in:
Solar Designer 2024-11-23 05:11:06 +01:00
parent f44a183786
commit 7dee1d1f4a
4 changed files with 20 additions and 15 deletions

View File

@ -2,6 +2,11 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## November 23, 2024
[glibc](packages/glibc.md) and [openssh](packages/openssh.md) rebased on EL 9.5's,
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) rebuilt for EL 9.5.
## October 23, 2024 ## October 23, 2024
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) is updated to version 0.9.9, built for both EL 9.4 and 8.10. [lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) is updated to version 0.9.9, built for both EL 9.4 and 8.10.

View File

@ -2,8 +2,8 @@
## EL9 ## EL9
- Version `2.34-100.2.el9_4.security.0.9` - Version `2.34-125.1.el9_5.security.0.10`
- Based on `2.34-100.el9_4.2` - Based on `2.34-125.el9_5.1`
### Changes summary ### Changes summary
@ -17,9 +17,9 @@
#### Known-effective vulnerability mitigations and fixes #### Known-effective vulnerability mitigations and fixes
`2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`. `2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`.
`2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`. `2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`.
`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). `2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
@ -28,11 +28,12 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
### Change log ### Change log
``` ```
* Thu Nov 21 2024 Solar Designer <solar@openwall.com> - 2.34-125.1.el9.security.0.10
- Rebase on 2.34-125.1
* Thu Jun 13 2024 Solar Designer <solar@openwall.com> - 2.34-100.2.el9.security.0.9 * Thu Jun 13 2024 Solar Designer <solar@openwall.com> - 2.34-100.2.el9.security.0.9
- Rebase on 2.34-100.2 - Rebase on 2.34-100.2
[... upstream changes ...]
* Mon May 20 2024 Solar Designer <solar@openwall.com> - 2.34-100.el9.security.0.8 * Mon May 20 2024 Solar Designer <solar@openwall.com> - 2.34-100.el9.security.0.8
- Rebase on 2.34-100 - Rebase on 2.34-100
@ -47,8 +48,6 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
- Rebase on 2.34-83.12 - Rebase on 2.34-83.12
- Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch - Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch
[... upstream changes ...]
* Wed Jan 31 2024 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.4 * Wed Jan 31 2024 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.4
- Harden syslog ident fallback initialization to use at most 64 characters of - Harden syslog ident fallback initialization to use at most 64 characters of
__progname when __libc_enable_secure, as inspired by Qualys' discovery of __progname when __libc_enable_secure, as inspired by Qualys' discovery of
@ -61,8 +60,6 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
- Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's - Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's
(a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2) (a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2)
[... upstream changes ...]
* Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2 * Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits - Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits
as none of their revisions matched this package's set of backports as-is as none of their revisions matched this package's set of backports as-is

View File

@ -2,7 +2,7 @@
## EL9 ## EL9
- Version `0.9.9-1.el9_4.security` - Version `0.9.9-1.el9_5.security`
- Based on upstream version `0.9.9` - Based on upstream version `0.9.9`
## EL8 ## EL8
@ -18,7 +18,7 @@ More information is available on the [LKRG homepage](https://lkrg.org) and in th
### Usage in Rocky Linux ### Usage in Rocky Linux
Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.4). Once there's a new minor release (e.g., 9.4 is upgraded to 9.5), we'll provide a new build of LKRG accordingly. Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.5). Once there's a new minor release (e.g., 9.5 is upgraded to 9.6), we'll provide a new build of LKRG accordingly.
Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use: Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:
@ -34,7 +34,7 @@ systemctl enable lkrg
### Testing and recovery ### Testing and recovery
Although the current package passed our own testing (on 9.4 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option. Although the current package passed our own testing (on 9.5 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
### Remote logging ### Remote logging

View File

@ -2,8 +2,8 @@
## EL9 ## EL9
- Version `8.7p1-38.4.el9_4.security.0.9` - Version `8.7p1-43.el9_5.security.0.10`
- Based on `8.7p1-38.el9_4.4` - Based on `8.7p1-43.el9`
### Changes summary ### Changes summary
@ -14,6 +14,9 @@
### Change log ### Change log
``` ```
* Thu Nov 21 2024 Solar Designer <solar@openwall.com> 8.7p1-43.el9_5.security.0.10
- Rebase on 8.7p1-43
* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.9 * Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.9
- Patch the code to silently ignore GSSAPIKeyExchange when unsupported - Patch the code to silently ignore GSSAPIKeyExchange when unsupported