Compare commits

..

No commits in common. "950cb7759fa060aa6609c868e95837244d58a77b" and "41e67d41fa7d93a506ffef79e1b9b5ba9bb962c0" have entirely different histories.

4 changed files with 11 additions and 36 deletions

View File

@ -16,7 +16,7 @@ Public disclosure date: March 26, 2024 for the above blog post, which made the i
## EL9 ## EL9
- Fixed in version: `kernel-5.14.0-427.16.1.el9_4` available May 8, 2024 Affected. We will of course rebuild upstream's fix as soon as it arrives. Meanwhile, please refer to the mitigations below.
## EL8 ## EL8
@ -25,7 +25,7 @@ Public disclosure date: March 26, 2024 for the above blog post, which made the i
## Mitigation ## Mitigation
We also recommend two mitigations: Meanwhile, we recommend two mitigations:
- If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root: - If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root:

View File

@ -2,21 +2,6 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## May 20, 2024
[glibc](packages/glibc.md) `2.34-100.el9_4.security.0.8` contains all of our changes so far rebased on top of 9.4's `2.34-100`,
which was still missing the iconv and nscd security fixes, so our addition of those is still relevant.
[openssh](packages/openssh.md) rebased on 9.4's `8.7p1-38`.
The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL9 fix.
## April 30, 2024
Unreleased [glibc](packages/glibc.md) `2.34-83.12.el9_3.security.0.6` includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch.
This update ended up unreleased because we refocused on 9.4.
## April 18-23, 2024 ## April 18-23, 2024
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md). Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md).

View File

@ -2,8 +2,8 @@
## EL9 ## EL9
- Version `2.34-100.el9_4.security.0.8` - Version `2.34-83.12.el9_3.security.0.5`
- Based on `2.34-100.el9` - Based on `2.34-83.el9.12`
### Changes summary ### Changes summary
@ -17,8 +17,6 @@
#### Known-effective vulnerability mitigations and fixes #### Known-effective vulnerability mitigations and fixes
`2.34-83.12.el9_3.security.0.6` includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch.
`2.34-83.12.el9_3.security.0.5` includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch. `2.34-83.12.el9_3.security.0.5` includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch.
`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). `2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
@ -28,16 +26,6 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
### Change log ### Change log
``` ```
* Mon May 20 2024 Solar Designer <solar@openwall.com> - 2.34-100.el9.security.0.8
- Rebase on 2.34-100
* Tue May 07 2024 Solar Designer <solar@openwall.com> - 2.34-83.12.el9.security.0.7
- Upstream glibc 2.34 fix "nscd: Use time_t for return type of addgetnetgrentX"
* Tue Apr 30 2024 Solar Designer <solar@openwall.com> - 2.34-83.12.el9.security.0.6
- Add nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes
from upstream glibc 2.34 branch
* Thu Apr 18 2024 Solar Designer <solar@openwall.com> - 2.34-83.12.el9.security.0.5 * Thu Apr 18 2024 Solar Designer <solar@openwall.com> - 2.34-83.12.el9.security.0.5
- Rebase on 2.34-83.12 - Rebase on 2.34-83.12
- Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch - Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch
@ -58,6 +46,11 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
[... upstream changes ...] [... upstream changes ...]
* Fri Oct 6 2023 Solar Designer <solar@openwall.com> - 2.34-60.7.el9.security.0.3
- Rebase on 2.34-60.7, drop "our" CVE-2023-4527 patch in favor of RH's
[... upstream changes ...]
* Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2 * Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits - Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits
as none of their revisions matched this package's set of backports as-is as none of their revisions matched this package's set of backports as-is

View File

@ -2,8 +2,8 @@
## EL9 ## EL9
- Version `8.7p1-38.el9_4.security.0.4` - Version `8.7p1-34.3.el9_3.security.0.3`
- Based on `8.7p1-38.el9` - Based on `8.7p1-34.el9_3.3`
### Changes summary ### Changes summary
@ -13,9 +13,6 @@
### Change log ### Change log
``` ```
* Mon May 20 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.4
- Rebase on 8.7p1-38
* Sat Mar 16 2024 Solar Designer <solar@openwall.com> 8.7p1-34.3.el9_3.security.0.3 * Sat Mar 16 2024 Solar Designer <solar@openwall.com> 8.7p1-34.3.el9_3.security.0.3
- Comment out GSSAPI* lines in /etc/ssh/ssh*_config.d/50-redhat.conf and patch - Comment out GSSAPI* lines in /etc/ssh/ssh*_config.d/50-redhat.conf and patch
the code to silently ignore GSSAPIKexAlgorithms when unsupported (like it is the code to silently ignore GSSAPIKexAlgorithms when unsupported (like it is