generated from sig_core/wiki-template
issues/CVE-2024-2961.md: Add a mitigation
This commit is contained in:
parent
ea9aee0a60
commit
51bbca3793
@ -23,3 +23,24 @@ Fixed in version: `2.34-83.12.el9_3.security.0.5` available April 18, 2024
|
||||
## EL8
|
||||
|
||||
Affected. We will of course rebuild upstream's fix as soon as it arrives.
|
||||
|
||||
## Mitigation
|
||||
|
||||
Support for the ISO-2022-CN-EXT character set can be excluded from glibc's iconv(3) by editing `/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf` to comment out the below 3 lines at line 1254 (same line number in EL9 and EL8) and then regenerating the cache file:
|
||||
|
||||
```
|
||||
alias ISO2022CNEXT// ISO-2022-CN-EXT//
|
||||
module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1
|
||||
module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT 1
|
||||
```
|
||||
|
||||
These two steps can be accomplished by running the below commands as root:
|
||||
|
||||
```
|
||||
sed -i -r 's/^(.*ISO-2022-CN-EXT.*)$/#\1/' /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
|
||||
iconvconfig
|
||||
```
|
||||
|
||||
To make sure this has worked as intended, we also recommend that you run `iconv -l | grep ISO-2022-CN-EXT` before and after the above procedure. It should list the ISO-2022-CN-EXT character set before the procedure, but produce empty output afterwards.
|
||||
|
||||
Finally, if you have long-running processes for which the bug matters (such as PHP-FPM), you'll need to restart those.
|
||||
|
@ -2,10 +2,10 @@
|
||||
|
||||
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
||||
|
||||
## April 18, 2024
|
||||
## April 18-23, 2024
|
||||
|
||||
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md),
|
||||
which we now have a status page on.
|
||||
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md).
|
||||
On that CVE status page, we also provide a mitigation for both EL9 and EL8.
|
||||
|
||||
The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user