forked from security/wiki
139 lines
7.4 KiB
Markdown
139 lines
7.4 KiB
Markdown
# News
|
|
|
|
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
|
|
|
## November 23, 2024
|
|
|
|
[glibc](packages/glibc.md) and [openssh](packages/openssh.md) rebased on EL 9.5's,
|
|
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) rebuilt for EL 9.5.
|
|
|
|
## October 23, 2024
|
|
|
|
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) is updated to version 0.9.9, built for both EL 9.4 and 8.10.
|
|
|
|
## August 7, 2024
|
|
|
|
[openssh](packages/openssh.md) `8.7p1-38.4.el9_4.security.0.9` for EL9 is a rebase on RH's release with a CVE-2024-6409 fix,
|
|
plus a further change of our own to suppress warnings about unsupported GSSAPI on systems configured for FIPS crypto-policy.
|
|
|
|
## July 8, 2024
|
|
|
|
[openssh](packages/openssh.md) `8.7p1-38.1.el9_4.security.0.7` for EL9 adds a fix for [CVE-2024-6409](issues/CVE-2024-6409.md),
|
|
an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
|
|
|
|
## July 1, 2024
|
|
|
|
[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
|
|
EL8 is unaffected.
|
|
|
|
## June 13, 2024
|
|
|
|
[glibc](packages/glibc.md) `2.34-100.2.el9_4.security.0.9` is a rebase on `2.34-100.el9_4.2`,
|
|
where we switch to RH's backport of the iconv and nscd security fixes.
|
|
|
|
## June 1, 2024
|
|
|
|
[lkrg](packages/lkrg.md) `0.9.8-2.el8_10.security` is a rebuild of Linux Kernel Runtime Guard for EL 8.10,
|
|
which wasn't strictly necessary this time as our build for 8.9 also remained working on 8.10 as-is.
|
|
|
|
## May 22, 2024
|
|
|
|
[lkrg](packages/lkrg.md) `0.9.8-2.el9_4.security` is a rebuild of Linux Kernel Runtime Guard for EL 9.4.
|
|
|
|
## May 20, 2024
|
|
|
|
[glibc](packages/glibc.md) `2.34-100.el9_4.security.0.8` contains all of our changes so far rebased on top of 9.4's `2.34-100`,
|
|
which was still missing the iconv and nscd security fixes, so our addition of those is still relevant.
|
|
|
|
[openssh](packages/openssh.md) rebased on 9.4's `8.7p1-38`.
|
|
|
|
The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL9 fix.
|
|
|
|
## April 30, 2024
|
|
|
|
Unreleased [glibc](packages/glibc.md) `2.34-83.12.el9_3.security.0.6` includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch.
|
|
|
|
This update ended up unreleased because we refocused on 9.4.
|
|
|
|
## April 18-23, 2024
|
|
|
|
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md).
|
|
On that CVE status page, we also provide a mitigation for both EL9 and EL8.
|
|
|
|
The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.
|
|
|
|
## March 28, 2024
|
|
|
|
We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md),
|
|
currently listing two mitigations for this Linux kernel vulnerability.
|
|
|
|
## March 11 to 16, 2024
|
|
|
|
[openssh](packages/openssh.md) rebased on upstream EL 8.7p1-34.3 with fixes for CVE-2023-48795 (Terrapin attack) and CVE-2023-51385, now building it without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines, down from 28 lines in upstream EL).
|
|
|
|
## February 28, 2024
|
|
|
|
[lkrg](packages/lkrg.md) updated to version 0.9.8, which adds a remote kernel message logging capability.
|
|
|
|
## January 31, 2024
|
|
|
|
Further EL9 [glibc](packages/glibc.md) security hardening in response to the [recent](https://www.openwall.com/lists/oss-security/2024/01/30/6) [findings](https://www.openwall.com/lists/oss-security/2024/01/30/7) by Qualys.
|
|
|
|
## January 3, 2024
|
|
|
|
[control](packages/control.md) `0.8.0-7` can now manage two SUID root PAM helper programs `unix_chkpwd` and `pam_timestamp_check`.
|
|
|
|
## December 27, 2023
|
|
|
|
[control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs.
|
|
|
|
## December 18, 2023
|
|
|
|
This SIG/Security News wiki page has been created, retroactively identifying and listing selected news items so far.
|
|
|
|
[control](packages/control.md) `0.8.0-4` can now manage 3 privileged programs from `util-linux` (and `util-linux-core`): `mount`, `umount` (one "facility" for both), and `write`. Its wiki page has been reworked.
|
|
|
|
## December 14, 2023
|
|
|
|
[control](packages/control.md) wiki page added, documenting the new package.
|
|
|
|
`control` provides a common interface to register and control (what it calls) system facilities.
|
|
This is intended primarily for facilities that can potentially be dangerous to system security, to let you enable, disable, or configure each facility.
|
|
A typical facility is a SUID/SGID/setcap program or a configuration setting of a service.
|
|
|
|
Included initially are facility specifications corresponding to the `shadow-utils` package. Currently, these allow to `control` access to 5 privileged programs - 3 of them (`chage`, `gpasswd`, and `newgrp`) are by default SUID root and 2 (`newuidmap` and `newgidmap`) are `cap_setuid=ep`.
|
|
|
|
## November 25, 2023
|
|
|
|
Everything we had so far has been updated for EL 9.3 and 8.9, including our hardened EL9 [glibc](packages/glibc.md) and [openssh](packages/openssh.md) packages rebased on 9.3's and [lkrg](packages/lkrg.md) rebuilt for 9.3's and 8.9's kernels, along with re-testing and wiki edits.
|
|
|
|
The `rocky-release-security` package containing our repository configuration has been made (a while earlier) easier to use on EL distros other than Rocky Linux, and we've now updated the wiki accordingly.
|
|
|
|
## November 16 to 19, 2023
|
|
|
|
[microcode_ctl](packages/microcode_ctl.md) also for EL8, providing 8.9's Intel CPU microcode to fix [CVE-2023-23583](issues/CVE-2023-23583.md) a few days before general availability of our own 8.9 release as a whole.
|
|
|
|
## November 16, 2023
|
|
|
|
Wiki pages [lkrg](packages/lkrg.md) and [passwdqc](packages/passwdqc.md) have been created. We had these extra packages for a while, but previously only had wiki pages for override packages (referring solely to upstream homepages for the extra packages).
|
|
|
|
## November 15, 2023
|
|
|
|
We've started maintaining wiki pages for selected high profile security issues, initially for glibc [CVE-2023-4911](CVE-2023-4911.md) and Intel CPU microcode [CVE-2023-23583](issues/CVE-2023-23583.md).
|
|
|
|
[microcode_ctl](packages/microcode_ctl.md) for EL9, providing latest Intel CPU microcode to fix [CVE-2023-23583](issues/CVE-2023-23583.md) ahead of availability of a rebuilt new upstream package.
|
|
|
|
## October 31 to November 15, 2023
|
|
|
|
[hardened_malloc](packages/hardened_malloc.md) package - a security-focused memory allocator providing the `malloc(3)` API, and a script to preload it into existing program binaries. Its documentation on the wiki.
|
|
|
|
## October 13, 2023
|
|
|
|
We've started maintaining per-package wiki pages, initially for the override packages of [glibc](packages/glibc.md) and [openssh](packages/openssh.md).
|
|
|
|
We've added instructions for installation of Rocky Linux SIG/Security repository on other EL distros (non-Rocky).
|
|
|
|
## October 3, 2023
|
|
|
|
Initial wiki content documenting what we had so far, which included override packages of [glibc](packages/glibc.md) and [openssh](packages/openssh.md) and extra packages of [lkrg](packages/lkrg.md) and [passwdqc](packages/passwdqc.md) (even though these per-package wiki pages did not exist yet, so we instead had summaries and external links on the front page only), the repository package, [source code repositories](https://git.rockylinux.org/sig/security/src), and [Mattermost channel](https://chat.rockylinux.org/rocky-linux/channels/security).
|