From b4d2b3b8be1968f032198d25faa9c8b1d0a2c9c7 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Fri, 17 Nov 2023 00:06:30 +0100 Subject: [PATCH] Add microcode_ctl for EL8 --- docs/index.md | 5 ++++- docs/issues/CVE-2023-23583.md | 6 +++--- docs/packages/microcode_ctl.md | 15 +++++++++++++-- 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/docs/index.md b/docs/index.md index 21e17cd..d30e5a5 100644 --- a/docs/index.md +++ b/docs/index.md @@ -45,10 +45,13 @@ You'll normally install packages from the mirrors, which should just work. Howev - [hardened_malloc](packages/hardened_malloc.md) (Security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries) +### Override packages (for EL8 and EL9) + +- [microcode_ctl](packages/microcode_ctl.md) (updates Intel CPU microcode to microcode-20231114, which fixes [CVE-2023-23583](issues/CVE-2023-23583.md)) + ### Override packages (currently only for EL9) - [glibc](packages/glibc.md) (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package) -- [microcode_ctl](packages/microcode_ctl.md) (updates Intel CPU microcode to microcode-20231114, which fixes [CVE-2023-23583](issues/CVE-2023-23583.md)) - [openssh](packages/openssh.md) (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality) The changes are described in more detail on the per-package wiki pages linked above, as well as in the package changelogs. diff --git a/docs/issues/CVE-2023-23583.md b/docs/issues/CVE-2023-23583.md index cb1e642..c16baeb 100644 --- a/docs/issues/CVE-2023-23583.md +++ b/docs/issues/CVE-2023-23583.md @@ -24,8 +24,8 @@ Public disclosure date: November 14, 2023 - Fixed in version: `4:20231114-1.el9_2.security` available November 15, 2023 -Please refer to our [override package of microcode_ctl](../packages/microcode_ctl.md). - ## EL8 -- Not fixed yet, will fix. +- Fixed in version `4:20230808-2.20231009.1.el8.security` available November 16, 2023 + +Please refer to our [override package of microcode_ctl](../packages/microcode_ctl.md). diff --git a/docs/packages/microcode_ctl.md b/docs/packages/microcode_ctl.md index 016e4f6..a526ac9 100644 --- a/docs/packages/microcode_ctl.md +++ b/docs/packages/microcode_ctl.md @@ -3,14 +3,25 @@ ## EL9 - Version `4:20231114-1.el9_2.security` -- Based on `4:20230808-2` +- Based on `4:20230808-2.el9` + +This is our custom revision of a post-9.2 EL9 package. We use Intel's latest released microcode. + +## EL8 + +- Version `4:20230808-2.20231009.1.el8.security` +- Based on `4:20230808-2.20231009.1.el8` + +This is a rebuild of the 8.9 package as-is to make it available for 8.8. It uses Intel's fixed microcode revision that was provided to distros privately in preparation for the coordinated disclosure. ### Changes summary -- Update Intel CPU microcode to microcode-20231114 (fixes [CVE-2023-23583](../issues/CVE-2023-23583.md)), temporarily dropping most documentation patches +- Update Intel CPU microcode to fix [CVE-2023-23583](../issues/CVE-2023-23583.md), temporarily dropping most documentation patches ### Change log +For EL9: + ``` * Tue Nov 14 2023 Solar Designer - 4:20231114-1 - Update Intel CPU microcode to microcode-20231114 (fixes CVE-2023-23583),