From f50b00f4555a8eaf0d03307113fdc8807101ae18 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Mon, 8 Jul 2024 20:24:39 +0200 Subject: [PATCH 1/2] Update the recent note on the repo coming disabled by default --- docs/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/index.md b/docs/index.md index 3c2e7c4..4082ed4 100644 --- a/docs/index.md +++ b/docs/index.md @@ -34,9 +34,9 @@ This isn't as secure as checking the package signature would be _if_ you previou ### Note -Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository comes disabled by default out of an abundance of caution because of the packages contained within the repository which override the base Rocky Linux packages. +Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository for EL9 comes disabled by default out of abundance of caution because of the packages contained within the repository that override the base Rocky Linux packages. -In order to receive packages from the SIG, either enable the repository (`dnf config-mangager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install `. +In order to receive packages from the SIG, either enable the repository (`dnf config-manager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install `. ## Packages From 10816e23f72e89d5faa8e94e4b5361744d380cd3 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Mon, 8 Jul 2024 20:44:12 +0200 Subject: [PATCH 2/2] openssh 8.7p1-38.1.el9_4.security.0.7 --- docs/issues/CVE-2024-6409.md | 29 +++++++++++++++++++++++++++++ docs/news.md | 5 +++++ docs/packages/openssh.md | 12 +++++++++--- 3 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 docs/issues/CVE-2024-6409.md diff --git a/docs/issues/CVE-2024-6409.md b/docs/issues/CVE-2024-6409.md new file mode 100644 index 0000000..3d9f1ee --- /dev/null +++ b/docs/issues/CVE-2024-6409.md @@ -0,0 +1,29 @@ +# CVE-2024-6409: openssh + +## Title + +CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling + +## Summary + +As [discovered by Solar Designer (CIQ/Rocky Linux)](https://www.openwall.com/lists/oss-security/2024/07/08/2): + +OpenSSH versions 8.7 and 8.8 and the corresponding portable releases call `cleanup_exit()` from `grace_alarm_handler()` when running in the privsep child process. `cleanup_exit()` was not meant to be called from a signal handler and may call other async-signal-unsafe functions. The current understanding is that in those upstream versions `cleanup_exit()` would not actually call async-signal-unsafe functions under those conditions, but with downstream distribution patches it sometimes does. Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to `cleanup_exit()` that exposes the issue. Relevantly, this patch is found in EL 9, where the package is based on OpenSSH 8.7p1. + +This is an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](CVE-2024-6387.md). + +Public disclosure date: July 8, 2024 + +## EL9 + +- Fixed in version: `8.7p1-38.1.el9_4.security.0.7` available July 8, 2024 + +## EL8 + +- Unaffected + +## Mitigation + +Set `LoginGraceTime 0` in `/etc/ssh/sshd_config` and do a `systemctl restart sshd`. + +A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks. diff --git a/docs/news.md b/docs/news.md index cce6c53..708c33b 100644 --- a/docs/news.md +++ b/docs/news.md @@ -2,6 +2,11 @@ These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. +## July 8, 2024 + +[openssh](packages/openssh.md) `8.7p1-38.1.el9_4.security.0.7` for EL9 adds a fix for [CVE-2024-6409](issues/CVE-2024-6409.md), +an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md). + ## July 1, 2024 [openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md). diff --git a/docs/packages/openssh.md b/docs/packages/openssh.md index 260d6fe..620f6e5 100644 --- a/docs/packages/openssh.md +++ b/docs/packages/openssh.md @@ -2,18 +2,24 @@ ## EL9 -- Version `8.7p1-38.el9_4.security.0.5` -- Based on `8.7p1-38.el9` +- Version `8.7p1-38.1.el9_4.security.0.7` +- Based on `8.7p1-38.el9_4.1` ### Changes summary - Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines) - Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines) -- Fix CVE-2024-6387 regreSSHion +- Fix [CVE-2024-6409](../issues/CVE-2024-6409.md) ### Change log ``` +* Mon Jul 08 2024 Solar Designer 8.7p1-38.1.el9_4.security.0.7 +- Fix CVE-2024-6409 + +* Mon Jul 08 2024 Solar Designer 8.7p1-38.1.el9_4.security.0.6 +- Rebase on 8.7p1-38.1 + * Mon Jul 01 2024 Solar Designer 8.7p1-38.el9_4.security.0.5 - Fix CVE-2024-6387 regreSSHion