Add updates.md

This commit is contained in:
Solar Designer 2023-12-18 23:27:20 +01:00
parent 5556b38adf
commit d9b72d5e11

53
docs/updates.md Normal file
View File

@ -0,0 +1,53 @@
# SIG/Security News
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## December 18, 2023
This SIG/Security News wiki page has been created, retroactively identifying and listing selected news items so far.
[control](packages/control.md) `0.8.0-4` can now manage 3 privileged programs from `util-linux` (and `util-linux-core`): `mount`, `umount` (one "facility" for both), and `write`. Its wiki page has been reworked.
## December 14, 2023
[control](packages/control.md) wiki page added, documenting the new package.
`control` provides a common interface to register and control (what it calls) system facilities.
This is intended primarily for facilities that can potentially be dangerous to system security, to let you enable, disable, or configure each facility.
A typical facility is a SUID/SGID/setcap program or a configuration setting of a service.
Included initially are facility specifications corresponding to the `shadow-utils` package. Currently, these allow to `control` access to 5 privileged programs - 3 of them (`chage`, `gpasswd`, and `newgrp`) are by default SUID root and 2 (`newuidmap` and `newgidmap`) are `cap_setuid=ep`.
## November 25, 2023
Everything we had so far has been updated for EL 9.3 and 8.9, including our hardened EL9 [glibc](packages/glibc.md) and [openssh](packages/openssh.md) packages rebased on 9.3's and [lkrg](packages/lkrg.md) rebuilt for 9.3's and 8.9's kernels, along with re-testing and wiki edits.
The `rocky-release-security` package containing our repository configuration has been made (a while earlier) easier to use on EL distros other than Rocky Linux, and we've now updated the wiki accordingly.
## November 16 to 19, 2023
[microcode_ctl](packages/microcode_ctl.md) also for EL8, providing 8.9's Intel CPU microcode to fix [CVE-2023-23583](issues/CVE-2023-23583.md) a few days before general availability of our own 8.9 release as a whole.
## November 16, 2023
Wiki pages [lkrg](packages/lkrg.md) and [passwdqc](packages/passwdqc.md) have been created. We had these extra packages for a while, but previously only had wiki pages for override packages (referring solely to upstream homepages for the extra packages).
## November 15, 2023
We've started maintaining wiki pages for selected high profile security issues, initially for glibc [CVE-2023-4911](CVE-2023-4911.md) and Intel CPU microcode [CVE-2023-23583](issues/CVE-2023-23583.md).
[microcode_ctl](packages/microcode_ctl.md) for EL9, providing latest Intel CPU microcode to fix [CVE-2023-23583](issues/CVE-2023-23583.md) ahead of availability of a rebuilt new upstream package.
## October 31 to November 15, 2023
[hardened_malloc](packages/hardened_malloc.md) package - a security-focused memory allocator providing the `malloc(3)` API, and a script to preload it into existing program binaries. Its documentation on the wiki.
## October 13, 2023
We've started maintaining per-package wiki pages, initially for the override packages of [glibc](packages/glibc.md) and [openssh](packages/openssh.md).
We've added instructions for installation of Rocky Linux SIG/Security repository on other EL distros (non-Rocky).
## October 3, 2023
Initial wiki content documenting what we had so far, which included override packages of [glibc](packages/glibc.md) and [openssh](packages/openssh.md) and extra packages of [lkrg](packages/lkrg.md) and [passwdqc](packages/passwdqc.md) (even though these per-package wiki pages did not exist yet, so we instead had summaries and external links on the front page only), the repository package, [source code repositories](https://git.rockylinux.org/sig/security/src), and [Mattermost channel](https://chat.rockylinux.org/rocky-linux/channels/security).