wiki/docs/news.md

# News

These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.

## August 7, 2024

[openssh](packages/openssh.md) `8.7p1-38.4.el9_4.security.0.9` for EL9 is a rebase on RH's release with a CVE-2024-6409 fix,
plus a further change of our own to suppress warnings about unsupported GSSAPI on systems configured for FIPS crypto-policy.

## July 8, 2024

[openssh](packages/openssh.md) `8.7p1-38.1.el9_4.security.0.7` for EL9 adds a fix for [CVE-2024-6409](issues/CVE-2024-6409.md),
an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).

## July 1, 2024

[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
EL8 is unaffected.

## June 13, 2024

[glibc](packages/glibc.md) `2.34-100.2.el9_4.security.0.9` is a rebase on `2.34-100.el9_4.2`,
where we switch to RH's backport of the iconv and nscd security fixes.

## June 1, 2024

[lkrg](packages/lkrg.md) `0.9.8-2.el8_10.security` is a rebuild of Linux Kernel Runtime Guard for EL 8.10,
which wasn't strictly necessary this time as our build for 8.9 also remained working on 8.10 as-is.

## May 22, 2024

[lkrg](packages/lkrg.md) `0.9.8-2.el9_4.security` is a rebuild of Linux Kernel Runtime Guard for EL 9.4.

## May 20, 2024

[glibc](packages/glibc.md) `2.34-100.el9_4.security.0.8` contains all of our changes so far rebased on top of 9.4's `2.34-100`,
which was still missing the iconv and nscd security fixes, so our addition of those is still relevant.

[openssh](packages/openssh.md) rebased on 9.4's `8.7p1-38`.

The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL9 fix.

## April 30, 2024

Unreleased [glibc](packages/glibc.md) `2.34-83.12.el9_3.security.0.6` includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch.

This update ended up unreleased because we refocused on 9.4.

## April 18-23, 2024

Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md).
On that CVE status page, we also provide a mitigation for both EL9 and EL8.

The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.

## March 28, 2024

We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md),
currently listing two mitigations for this Linux kernel vulnerability.

## March 11 to 16, 2024

[openssh](packages/openssh.md) rebased on upstream EL 8.7p1-34.3 with fixes for CVE-2023-48795 (Terrapin attack) and CVE-2023-51385, now building it without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines, down from 28 lines in upstream EL).

## February 28, 2024

[lkrg](packages/lkrg.md) updated to version 0.9.8, which adds a remote kernel message logging capability.

## January 31, 2024

Further EL9 [glibc](packages/glibc.md) security hardening in response to the [recent](https://www.openwall.com/lists/oss-security/2024/01/30/6) [findings](https://www.openwall.com/lists/oss-security/2024/01/30/7) by Qualys.

## January 3, 2024

[control](packages/control.md) `0.8.0-7` can now manage two SUID root PAM helper programs `unix_chkpwd` and `pam_timestamp_check`.

## December 27, 2023

[control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs.

## December 18, 2023

This SIG/Security News wiki page has been created, retroactively identifying and listing selected news items so far.

[control](packages/control.md) `0.8.0-4` can now manage 3 privileged programs from `util-linux` (and `util-linux-core`): `mount`, `umount` (one "facility" for both), and `write`. Its wiki page has been reworked.

## December 14, 2023

[control](packages/control.md) wiki page added, documenting the new package.

`control` provides a common interface to register and control (what it calls) system facilities.
This is intended primarily for facilities that can potentially be dangerous to system security, to let you enable, disable, or configure each facility.
A typical facility is a SUID/SGID/setcap program or a configuration setting of a service.

Included initially are facility specifications corresponding to the `shadow-utils` package. Currently, these allow to `control` access to 5 privileged programs - 3 of them (`chage`, `gpasswd`, and `newgrp`) are by default SUID root and 2 (`newuidmap` and `newgidmap`) are `cap_setuid=ep`.

## November 25, 2023

Everything we had so far has been updated for EL 9.3 and 8.9, including our hardened EL9 [glibc](packages/glibc.md) and [openssh](packages/openssh.md) packages rebased on 9.3's and [lkrg](packages/lkrg.md) rebuilt for 9.3's and 8.9's kernels, along with re-testing and wiki edits.

The `rocky-release-security` package containing our repository configuration has been made (a while earlier) easier to use on EL distros other than Rocky Linux, and we've now updated the wiki accordingly.

## November 16 to 19, 2023

[microcode_ctl](packages/microcode_ctl.md) also for EL8, providing 8.9's Intel CPU microcode to fix [CVE-2023-23583](issues/CVE-2023-23583.md) a few days before general availability of our own 8.9 release as a whole.

## November 16, 2023

Wiki pages [lkrg](packages/lkrg.md) and [passwdqc](packages/passwdqc.md) have been created. We had these extra packages for a while, but previously only had wiki pages for override packages (referring solely to upstream homepages for the extra packages).

## November 15, 2023

We've started maintaining wiki pages for selected high profile security issues, initially for glibc [CVE-2023-4911](CVE-2023-4911.md) and Intel CPU microcode [CVE-2023-23583](issues/CVE-2023-23583.md).

[microcode_ctl](packages/microcode_ctl.md) for EL9, providing latest Intel CPU microcode to fix [CVE-2023-23583](issues/CVE-2023-23583.md) ahead of availability of a rebuilt new upstream package.

## October 31 to November 15, 2023

[hardened_malloc](packages/hardened_malloc.md) package - a security-focused memory allocator providing the `malloc(3)` API, and a script to preload it into existing program binaries. Its documentation on the wiki.

## October 13, 2023

We've started maintaining per-package wiki pages, initially for the override packages of [glibc](packages/glibc.md) and [openssh](packages/openssh.md).

We've added instructions for installation of Rocky Linux SIG/Security repository on other EL distros (non-Rocky).

## October 3, 2023

Initial wiki content documenting what we had so far, which included override packages of [glibc](packages/glibc.md) and [openssh](packages/openssh.md) and extra packages of [lkrg](packages/lkrg.md) and [passwdqc](packages/passwdqc.md) (even though these per-package wiki pages did not exist yet, so we instead had summaries and external links on the front page only), the repository package, [source code repositories](https://git.rockylinux.org/sig/security/src), and [Mattermost channel](https://chat.rockylinux.org/rocky-linux/channels/security).
Rename updates to news, link to it from index 2023-12-18 22:47:56 +00:00			`# News`
Add updates.md 2023-12-18 22:27:20 +00:00
			`These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.`

openssh 8.7p1-38.4.el9_4.security.0.9 2024-08-07 14:05:55 +00:00			`## August 7, 2024`

			[openssh](packages/openssh.md) `8.7p1-38.4.el9_4.security.0.9` for EL9 is a rebase on RH's release with a CVE-2024-6409 fix,
			`plus a further change of our own to suppress warnings about unsupported GSSAPI on systems configured for FIPS crypto-policy.`

openssh 8.7p1-38.1.el9_4.security.0.7 2024-07-08 18:44:12 +00:00			`## July 8, 2024`

			[openssh](packages/openssh.md) `8.7p1-38.1.el9_4.security.0.7` for EL9 adds a fix for [CVE-2024-6409](issues/CVE-2024-6409.md),
			`an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).`

openssh 8.7p1-38.el9_4.security.0.5 2024-07-01 11:12:16 +00:00			`## July 1, 2024`

			[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
			`EL8 is unaffected.`

glibc 2.34-100.2.el9_4.security.0.9 2024-06-13 16:12:25 +00:00			`## June 13, 2024`

			[glibc](packages/glibc.md) `2.34-100.2.el9_4.security.0.9` is a rebase on `2.34-100.el9_4.2`,
			`where we switch to RH's backport of the iconv and nscd security fixes.`

lkrg 0.9.8-2.el8_10.security 2024-06-01 18:07:13 +00:00			`## June 1, 2024`

			[lkrg](packages/lkrg.md) `0.9.8-2.el8_10.security` is a rebuild of Linux Kernel Runtime Guard for EL 8.10,
			`which wasn't strictly necessary this time as our build for 8.9 also remained working on 8.10 as-is.`

lkrg 0.9.8-2.el9_4.security 2024-05-22 17:06:18 +00:00			`## May 22, 2024`

lkrg 0.9.8-2.el8_10.security 2024-06-01 18:07:13 +00:00			[lkrg](packages/lkrg.md) `0.9.8-2.el9_4.security` is a rebuild of Linux Kernel Runtime Guard for EL 9.4.
lkrg 0.9.8-2.el9_4.security 2024-05-22 17:06:18 +00:00
docs/news.md: Updates for 9.4 2024-05-20 20:30:33 +00:00			`## May 20, 2024`

			[glibc](packages/glibc.md) `2.34-100.el9_4.security.0.8` contains all of our changes so far rebased on top of 9.4's `2.34-100`,
			`which was still missing the iconv and nscd security fixes, so our addition of those is still relevant.`

			[openssh](packages/openssh.md) rebased on 9.4's `8.7p1-38`.

			`The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL9 fix.`

glibc 2.34-83.12.el9_3.security.0.6 nscd CVE fixes 2024-04-30 13:42:24 +00:00			`## April 30, 2024`

docs/news.md: Updates for 9.4 2024-05-20 20:30:33 +00:00			Unreleased [glibc](packages/glibc.md) `2.34-83.12.el9_3.security.0.6` includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch.

			`This update ended up unreleased because we refocused on 9.4.`
glibc 2.34-83.12.el9_3.security.0.6 nscd CVE fixes 2024-04-30 13:42:24 +00:00
issues/CVE-2024-2961.md: Add a mitigation 2024-04-23 13:21:32 +00:00			`## April 18-23, 2024`
glibc 2.34-83.12.el9_3.security.0.5 with CVE-2024-2961 fix 2024-04-18 17:15:37 +00:00
issues/CVE-2024-2961.md: Add a mitigation 2024-04-23 13:21:32 +00:00			`Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md).`
			`On that CVE status page, we also provide a mitigation for both EL9 and EL8.`
glibc 2.34-83.12.el9_3.security.0.5 with CVE-2024-2961 fix 2024-04-18 17:15:37 +00:00
			`The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.`

Add issues/CVE-2024-1086.md 2024-03-28 18:54:13 +00:00			`## March 28, 2024`

			`We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md),`
			`currently listing two mitigations for this Linux kernel vulnerability.`

openssh-8.7p1-34.3.el9_3.security.0.3 2024-03-16 21:25:53 +00:00			`## March 11 to 16, 2024`
openssh-8.7p1-34.3.el9_3.security.0.2 2024-03-11 18:12:15 +00:00
			[openssh](packages/openssh.md) rebased on upstream EL 8.7p1-34.3 with fixes for CVE-2023-48795 (Terrapin attack) and CVE-2023-51385, now building it without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines, down from 28 lines in upstream EL).

LKRG 0.9.8 2024-02-28 02:10:34 +00:00			`## February 28, 2024`

			`[lkrg](packages/lkrg.md) updated to version 0.9.8, which adds a remote kernel message logging capability.`

Further EL9 glibc security hardening in response Qualys' findings 2024-01-31 20:39:29 +00:00			`## January 31, 2024`

			`Further EL9 [glibc](packages/glibc.md) security hardening in response to the [recent](https://www.openwall.com/lists/oss-security/2024/01/30/6) [findings](https://www.openwall.com/lists/oss-security/2024/01/30/7) by Qualys.`

control-pam: Add unix_chkpwd and pam_timestamp_check 2024-01-03 14:01:52 +00:00			`## January 3, 2024`

			[control](packages/control.md) `0.8.0-7` can now manage two SUID root PAM helper programs `unix_chkpwd` and `pam_timestamp_check`.

control-pam: Add password hashing and password policy controls 2023-12-27 20:22:55 +00:00			`## December 27, 2023`

			[control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs.

Add updates.md 2023-12-18 22:27:20 +00:00			`## December 18, 2023`

			`This SIG/Security News wiki page has been created, retroactively identifying and listing selected news items so far.`

			[control](packages/control.md) `0.8.0-4` can now manage 3 privileged programs from `util-linux` (and `util-linux-core`): `mount`, `umount` (one "facility" for both), and `write`. Its wiki page has been reworked.

			`## December 14, 2023`

			`[control](packages/control.md) wiki page added, documenting the new package.`

			`control` provides a common interface to register and control (what it calls) system facilities.
			`This is intended primarily for facilities that can potentially be dangerous to system security, to let you enable, disable, or configure each facility.`
			`A typical facility is a SUID/SGID/setcap program or a configuration setting of a service.`

			Included initially are facility specifications corresponding to the `shadow-utils` package. Currently, these allow to `control` access to 5 privileged programs - 3 of them (`chage`, `gpasswd`, and `newgrp`) are by default SUID root and 2 (`newuidmap` and `newgidmap`) are `cap_setuid=ep`.

			`## November 25, 2023`

			`Everything we had so far has been updated for EL 9.3 and 8.9, including our hardened EL9 [glibc](packages/glibc.md) and [openssh](packages/openssh.md) packages rebased on 9.3's and [lkrg](packages/lkrg.md) rebuilt for 9.3's and 8.9's kernels, along with re-testing and wiki edits.`

			The `rocky-release-security` package containing our repository configuration has been made (a while earlier) easier to use on EL distros other than Rocky Linux, and we've now updated the wiki accordingly.

			`## November 16 to 19, 2023`

			`[microcode_ctl](packages/microcode_ctl.md) also for EL8, providing 8.9's Intel CPU microcode to fix [CVE-2023-23583](issues/CVE-2023-23583.md) a few days before general availability of our own 8.9 release as a whole.`

			`## November 16, 2023`

			`Wiki pages [lkrg](packages/lkrg.md) and [passwdqc](packages/passwdqc.md) have been created. We had these extra packages for a while, but previously only had wiki pages for override packages (referring solely to upstream homepages for the extra packages).`

			`## November 15, 2023`

			`We've started maintaining wiki pages for selected high profile security issues, initially for glibc [CVE-2023-4911](CVE-2023-4911.md) and Intel CPU microcode [CVE-2023-23583](issues/CVE-2023-23583.md).`

			`[microcode_ctl](packages/microcode_ctl.md) for EL9, providing latest Intel CPU microcode to fix [CVE-2023-23583](issues/CVE-2023-23583.md) ahead of availability of a rebuilt new upstream package.`

			`## October 31 to November 15, 2023`

			[hardened_malloc](packages/hardened_malloc.md) package - a security-focused memory allocator providing the `malloc(3)` API, and a script to preload it into existing program binaries. Its documentation on the wiki.

			`## October 13, 2023`

			`We've started maintaining per-package wiki pages, initially for the override packages of [glibc](packages/glibc.md) and [openssh](packages/openssh.md).`

			`We've added instructions for installation of Rocky Linux SIG/Security repository on other EL distros (non-Rocky).`

			`## October 3, 2023`

			Initial wiki content documenting what we had so far, which included override packages of [glibc](packages/glibc.md) and [openssh](packages/openssh.md) and extra packages of [lkrg](packages/lkrg.md) and [passwdqc](packages/passwdqc.md) (even though these per-package wiki pages did not exist yet, so we instead had summaries and external links on the front page only), the repository package, [source code repositories](https://git.rockylinux.org/sig/security/src), and [Mattermost channel](https://chat.rockylinux.org/rocky-linux/channels/security).