Merge pull request 'Add microcode_ctl for EL8' (#14) from solardiz-patch-12 into main

Reviewed-on: security/wiki#14
Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
Neil Hanlon 2023-11-16 23:31:32 +00:00
commit d719891f5d
3 changed files with 20 additions and 6 deletions

View File

@ -45,10 +45,13 @@ You'll normally install packages from the mirrors, which should just work. Howev
- [hardened_malloc](packages/hardened_malloc.md) (Security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries)
### Override packages (for EL8 and EL9)
- [microcode_ctl](packages/microcode_ctl.md) (updates Intel CPU microcode to microcode-20231114, which fixes [CVE-2023-23583](issues/CVE-2023-23583.md))
### Override packages (currently only for EL9)
- [glibc](packages/glibc.md) (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package)
- [microcode_ctl](packages/microcode_ctl.md) (updates Intel CPU microcode to microcode-20231114, which fixes [CVE-2023-23583](issues/CVE-2023-23583.md))
- [openssh](packages/openssh.md) (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)
The changes are described in more detail on the per-package wiki pages linked above, as well as in the package changelogs.

View File

@ -24,8 +24,8 @@ Public disclosure date: November 14, 2023
- Fixed in version: `4:20231114-1.el9_2.security` available November 15, 2023
Please refer to our [override package of microcode_ctl](../packages/microcode_ctl.md).
## EL8
- Not fixed yet, will fix.
- Fixed in version `4:20230808-2.20231009.1.el8.security` available November 16, 2023
Please refer to our [override package of microcode_ctl](../packages/microcode_ctl.md).

View File

@ -3,14 +3,25 @@
## EL9
- Version `4:20231114-1.el9_2.security`
- Based on `4:20230808-2`
- Based on `4:20230808-2.el9`
This is our custom revision of a post-9.2 EL9 package. We use Intel's latest released microcode.
## EL8
- Version `4:20230808-2.20231009.1.el8.security`
- Based on `4:20230808-2.20231009.1.el8`
This is a rebuild of the 8.9 package as-is to make it available for 8.8. It uses Intel's fixed microcode revision that was provided to distros privately in preparation for the coordinated disclosure.
### Changes summary
- Update Intel CPU microcode to microcode-20231114 (fixes [CVE-2023-23583](../issues/CVE-2023-23583.md)), temporarily dropping most documentation patches
- Update Intel CPU microcode to fix [CVE-2023-23583](../issues/CVE-2023-23583.md), temporarily dropping most documentation patches
### Change log
For EL9:
```
* Tue Nov 14 2023 Solar Designer <solar@openwall.com> - 4:20231114-1
- Update Intel CPU microcode to microcode-20231114 (fixes CVE-2023-23583),