security/wiki
8
0
Fork 1
generated from sig_core/wiki-template
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'Add microcode_ctl for EL8' (#14) from solardiz-patch-12 into main
All checks were successful
mkdocs build / build (push) Successful in 27s
Details

Browse Source 
Reviewed-on: #14
Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
Neil Hanlon 2023-11-16 23:31:32 +00:00
commit d719891f5d
3 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/index.md
View File

@ -45,10 +45,13 @@ You'll normally install packages from the mirrors, which should just work. Howev
- [hardened_malloc](packages/hardened_malloc.md) (Security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries) - [hardened_malloc](packages/hardened_malloc.md) (Security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries)
### Override packages (for EL8 and EL9)
- [microcode_ctl](packages/microcode_ctl.md) (updates Intel CPU microcode to microcode-20231114, which fixes [CVE-2023-23583](issues/CVE-2023-23583.md))
### Override packages (currently only for EL9) ### Override packages (currently only for EL9)
- [glibc](packages/glibc.md) (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package) - [glibc](packages/glibc.md) (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package)
- [microcode_ctl](packages/microcode_ctl.md) (updates Intel CPU microcode to microcode-20231114, which fixes [CVE-2023-23583](issues/CVE-2023-23583.md))
- [openssh](packages/openssh.md) (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality) - [openssh](packages/openssh.md) (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)
The changes are described in more detail on the per-package wiki pages linked above, as well as in the package changelogs. The changes are described in more detail on the per-package wiki pages linked above, as well as in the package changelogs.

6
docs/issues/CVE-2023-23583.md
View File

@ -24,8 +24,8 @@ Public disclosure date: November 14, 2023
- Fixed in version: `4:20231114-1.el9_2.security` available November 15, 2023 - Fixed in version: `4:20231114-1.el9_2.security` available November 15, 2023
Please refer to our [override package of microcode_ctl](../packages/microcode_ctl.md).
## EL8 ## EL8
- Not fixed yet, will fix. - Fixed in version `4:20230808-2.20231009.1.el8.security` available November 16, 2023
Please refer to our [override package of microcode_ctl](../packages/microcode_ctl.md).

15
docs/packages/microcode_ctl.md
View File

@ -3,14 +3,25 @@
## EL9 ## EL9
- Version `4:20231114-1.el9_2.security` - Version `4:20231114-1.el9_2.security`
- Based on `4:20230808-2` - Based on `4:20230808-2.el9`
This is our custom revision of a post-9.2 EL9 package. We use Intel's latest released microcode.
## EL8
- Version `4:20230808-2.20231009.1.el8.security`
- Based on `4:20230808-2.20231009.1.el8`
This is a rebuild of the 8.9 package as-is to make it available for 8.8. It uses Intel's fixed microcode revision that was provided to distros privately in preparation for the coordinated disclosure.
### Changes summary ### Changes summary
- Update Intel CPU microcode to microcode-20231114 (fixes [CVE-2023-23583](../issues/CVE-2023-23583.md)), temporarily dropping most documentation patches - Update Intel CPU microcode to fix [CVE-2023-23583](../issues/CVE-2023-23583.md), temporarily dropping most documentation patches
### Change log ### Change log
For EL9:
``` ```
* Tue Nov 14 2023 Solar Designer <solar@openwall.com> - 4:20231114-1 * Tue Nov 14 2023 Solar Designer <solar@openwall.com> - 4:20231114-1
- Update Intel CPU microcode to microcode-20231114 (fixes CVE-2023-23583), - Update Intel CPU microcode to microcode-20231114 (fixes CVE-2023-23583),