Merge pull request 'Assorted updates and corrections' (#16) from solardiz-patch-14 into main

Reviewed-on: #16
Reviewed-by: Neil Hanlon <neil@noreply@resf.org>

docs/index.md

@@ -18,22 +18,18 @@ dnf install rocky-release-security
 
 Download the release package containing our repository configuration file and package signing public key. Use the version that corresponds to the major version of your EL distro.
 
-- [rocky-release-security-9](https://download.rockylinux.org/pub/rocky/9/extras/x86_64/os/Packages/r/rocky-release-security-9-2.el9.noarch.rpm)
-- [rocky-release-security-8](https://download.rockylinux.org/pub/rocky/8/extras/x86_64/os/Packages/r/rocky-release-security-8-2.el8.noarch.rpm)
+- [rocky-release-security-9](https://download.rockylinux.org/pub/rocky/9/extras/x86_64/os/Packages/r/rocky-release-security-9-3.el9.noarch.rpm)
+- [rocky-release-security-8](https://download.rockylinux.org/pub/rocky/8/extras/x86_64/os/Packages/r/rocky-release-security-8-3.el8.noarch.rpm)
 
 Verify the package file's SHA-256 digest with `sha256sum`. The currently expected digests are:
 
 ```
-8daf0934c8b5cfce1f5c2dc53ea0118102940bf307c7cc8863ab718696863da6  rocky-release-security-9-2.el9.noarch.rpm
-15aebef7257d4ff3c59a3b4e45acf8fae9894a10ddd2c924dfd521033337e96c  rocky-release-security-8-2.el8.noarch.rpm
+0d0cfcb16379b4c374b45a7a4ec86894f5bbdd977103cc5544be0f6fc2581a2a  rocky-release-security-9-3.el9.noarch.rpm
+8dc7912f0ab55dff4cb2b1dc9262c22aa89d911cdb680d33213737597d865006  rocky-release-security-8-3.el8.noarch.rpm
 ```
 
 This isn't as secure as checking the package signature would be _if_ you previously had our package signing public key, but on another distro you probably don't have that yet, so checking the digest against its copy obtained from this separate website is a best-effort measure.
 
-Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to bypass the dependency check on our `rocky-release` package. In essense, you're manually confirming to `rpm` that you're installing on a compatible distro.
-
-You'll normally install packages from the mirrors, which should just work. However, if there's any issue with the mirrors and you uncomment our `baseurl` line instead, then on non-Rocky you'll need to use `DNF_VAR_sigcontentdir=/pub/sig dnf` in place of simply `dnf`.
-
 ## Packages
 
 ### Extra packages (for EL8 and EL9)

docs/packages/glibc.md

@@ -2,8 +2,8 @@
 
 ## EL9
 
-- Version `2.34-60.7.el9_2.security.0.3`
-- Based on `2.34-60.el9_2.7`
+- Version `2.34-83.7.el9_3.security.0.3`
+- Based on `2.34-83.el9.7`
 
 ### Changes summary
 
@@ -16,36 +16,23 @@
 
 #### Known-effective vulnerability mitigations and fixes
 
-`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3`, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
+`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
 
 In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.
 
 ### Change log
 
 ```
+* Wed Nov 22 2023 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.3
+- Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's
+  (a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2)
+
+[... upstream changes ...]
+
 * Fri Oct  6 2023 Solar Designer <solar@openwall.com> - 2.34-60.7.el9.security.0.3
 - Rebase on 2.34-60.7, drop "our" CVE-2023-4527 patch in favor of RH's
 
-* Mon Sep 25 2023 Florian Weimer <fweimer@redhat.com> - 2.34-60.7
-- Fix memory leak regression in getaddrinfo (RHEL-2425)
-
-* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.6
-- CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-2999)
-
-* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.5
-- Revert: Always call destructors in reverse constructor order (RHEL-3385)
-
-* Mon Sep 18 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.34-60.4
-- CVE-2023-4806 glibc: potential use-after-free in getaddrinfo (RHEL-2425)
-
-* Fri Sep 15 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.34-60.3
-- CVE-2023-4813: potential use-after-free in gaih_inet (RHEL-2437)
-
-* Fri Sep 15 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.2
-- CVE-2023-4527: Stack read overflow in getaddrinfo in no-aaaa mode (#2234715)
-
-* Wed Sep 13 2023 Florian Weimer <fweimer@redhat.com> - 2.34-60.1
-- Always call destructors in reverse constructor order (RHEL-3385)
+[... upstream changes ...]
 
 * Mon Oct  2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
 - Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits

docs/packages/lkrg.md

@@ -1,8 +1,13 @@
 # Extra package: lkrg
 
-## EL8 and EL9
+## EL9
 
-- Version `lkrg-0.9.7-4.el9_2.security`
+- Version `0.9.7-4.el9_3.security`
+- Based on upstream version `0.9.7`
+
+## EL8
+
+- Version `0.9.7-4.el8_9.security`
 - Based on upstream version `0.9.7`
 
 ### Package summary
@@ -13,7 +18,7 @@ More information is available on the [LKRG homepage](https://lkrg.org) and in th
 
 ### Usage in Rocky Linux
 
-Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG works across different kernel revisions/builds within the same EL minor release (e.g., 9.2). Once there's a new minor release (e.g., 9.2 is upgraded to 9.3), we'll provide a new build of LKRG accordingly.
+Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG works across different kernel revisions/builds within the same EL minor release (e.g., 9.3). Once there's a new minor release (e.g., 9.3 is upgraded to 9.4), we'll provide a new build of LKRG accordingly.
 
 Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:
 
@@ -29,10 +34,12 @@ systemctl enable lkrg
 
 ### Testing and recovery
 
-Although the current package passed our own testing (on 8.8 and 9.2), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
+Although the current package passed our own testing (on 9.3 and 8.9), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
 
 ### Change log
 
+The 0.9.7-4 source package was originally built for (and tested on) 9.2 and 8.8, then rebuilt without source level changes for 9.3 and 8.9 (and re-tested on those versions).
+
 ```
 * Wed Nov 08 2023 Solar Designer <solar@openwall.com> 0.9.7-4
 - Add a couple of upstream patches, most notably to fix kINT false positives on

docs/packages/openssh.md

@@ -2,8 +2,8 @@
 
 ## EL9
 
-- Version `8.7p1-30.el9_2.security.0.2`
-- Based on `8.7p1-30.el9_2`
+- Version `8.7p1-34.el9_3.security.0.1`
+- Based on `8.7p1-34.el9`
 
 ### Changes summary
 
@@ -12,6 +12,9 @@
 ### Change log
 
 ```
+* Wed Nov 22 2023 Solar Designer <solar@openwall.com> 8.7p1-34.el9_3.security.0.1
+- Rebase 8.7p1-30.el9.security.0.2 on 8.7p1-34
+
 * Sat Oct 07 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.2
 - Load libsystemd.so.0, not libsystemd.so, as the latter is only provided by
   systemd-devel

docs/packages/passwdqc.md

@@ -1,10 +1,15 @@
 # Extra package: passwdqc
 
-## EL8 and EL9
+## EL9
 
 - Version `2.0.3-2.el9_2.security`
 - Based on upstream version `2.0.3-2` as packaged in Fedora
 
+## EL8
+
+- Version `2.0.3-2.el8.security`
+- Based on upstream version `2.0.3-2` as packaged in Fedora
+
 ### Package summary
 
 `passwdqc` is a password/passphrase strength checking and policy enforcement toolset, including a PAM module (`pam_passwdqc`), command-line programs (`pwqcheck`, `pwqfilter`, and `pwqgen`), and a library (`libpasswdqc`).
@@ -13,7 +18,7 @@ More information is available on the [passwdqc homepage](https://www.openwall.co
 
 ### Usage in Rocky Linux
 
-There are 4 sub-packages:
+There are 5 sub-packages:
 
 #### pam_passwdqc
 
@@ -31,6 +36,10 @@ The `pwqfilter` program searches, creates, or updates binary passphrase filter f
 
 `libpasswdqc` is the underlying library, which may also be used from third-party programs.
 
+#### libpasswdqc-devel
+
+This package contains development files needed for building passwdqc-aware applications, as well as documentation (man pages) for developing such applications.
+
 #### passwdqc
 
-`passwdqc` is a meta sub-package that installs (via dependencies) all 3 actual sub-packages above.
+`passwdqc` is a meta sub-package that installs (via dependencies) the actual sub-packages above, except for `libpasswdqc-devel`.