From 3bf689e7e3bfeba8cc7da48e67e387c4880b5f25 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Tue, 3 Oct 2023 18:02:26 +0000 Subject: [PATCH] Add "Known-effective vulnerability mitigations and fixes" --- docs/index.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/index.md b/docs/index.md index 01d26fd..87718b7 100644 --- a/docs/index.md +++ b/docs/index.md @@ -21,13 +21,18 @@ dnf install rocky-release-security ### Override packages (currently only for EL9) -- glibc (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package, fixes [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1)) +- glibc (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package) - openssh (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality) The changes are described in more detail in the package changelogs. -The inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on. More packages/changes are planned, including override packages also for EL8. +#### Known-effective vulnerability mitigations and fixes + +`glibc-2.34-60.el9_2.security.0.2` (specifically the `.0.2` version!) includes mitigations sufficient to avoid security exposure of [CVE-2023-4911](https://www.openwall.com/lists/oss-security/2023/10/03/2) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. + +The inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on. + ## Source code Just like for other Rocky Linux SIGs, the source trees for Security SIG packages are maintained in [per-package git repositories](https://git.rockylinux.org/sig/security/src). Each repository contains branches `r8` and/or `r9` corresponding to target EL version.