Compare commits

..

No commits in common. "main" and "update/cve-2024-6387" have entirely different histories.

6 changed files with 21 additions and 84 deletions

View File

@ -34,9 +34,9 @@ This isn't as secure as checking the package signature would be _if_ you previou
### Note ### Note
Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository for EL9 comes disabled by default out of abundance of caution because of the packages contained within the repository that override the base Rocky Linux packages. Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository comes disabled by default out of an abundance of caution because of the packages contained within the repository which override the base Rocky Linux packages.
In order to receive packages from the SIG, either enable the repository (`dnf config-manager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`. In order to receive packages from the SIG, either enable the repository (`dnf config-mangager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`.
## Packages ## Packages

View File

@ -1,29 +0,0 @@
# CVE-2024-6409: openssh
## Title
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling
## Summary
As [discovered by Solar Designer (CIQ/Rocky Linux)](https://www.openwall.com/lists/oss-security/2024/07/08/2):
OpenSSH versions 8.7 and 8.8 and the corresponding portable releases call `cleanup_exit()` from `grace_alarm_handler()` when running in the privsep child process. `cleanup_exit()` was not meant to be called from a signal handler and may call other async-signal-unsafe functions. The current understanding is that in those upstream versions `cleanup_exit()` would not actually call async-signal-unsafe functions under those conditions, but with downstream distribution patches it sometimes does. Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to `cleanup_exit()` that exposes the issue. Relevantly, this patch is found in EL 9, where the package is based on OpenSSH 8.7p1.
This is an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](CVE-2024-6387.md).
Public disclosure date: July 8, 2024
## EL9
- Fixed in version: `8.7p1-38.1.el9_4.security.0.7` available July 8, 2024
## EL8
- Unaffected
## Mitigation
Set `LoginGraceTime 0` in `/etc/ssh/sshd_config` and do a `systemctl restart sshd`.
A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks.

View File

@ -2,25 +2,6 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## November 23, 2024
[glibc](packages/glibc.md) and [openssh](packages/openssh.md) rebased on EL 9.5's,
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) rebuilt for EL 9.5.
## October 23, 2024
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) is updated to version 0.9.9, built for both EL 9.4 and 8.10.
## August 7, 2024
[openssh](packages/openssh.md) `8.7p1-38.4.el9_4.security.0.9` for EL9 is a rebase on RH's release with a CVE-2024-6409 fix,
plus a further change of our own to suppress warnings about unsupported GSSAPI on systems configured for FIPS crypto-policy.
## July 8, 2024
[openssh](packages/openssh.md) `8.7p1-38.1.el9_4.security.0.7` for EL9 adds a fix for [CVE-2024-6409](issues/CVE-2024-6409.md),
an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
## July 1, 2024 ## July 1, 2024
[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md). [openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).

View File

@ -2,8 +2,8 @@
## EL9 ## EL9
- Version `2.34-125.1.el9_5.security.0.10` - Version `2.34-100.2.el9_4.security.0.9`
- Based on `2.34-125.el9_5.1` - Based on `2.34-100.el9_4.2`
### Changes summary ### Changes summary
@ -17,9 +17,9 @@
#### Known-effective vulnerability mitigations and fixes #### Known-effective vulnerability mitigations and fixes
`2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`. `2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`.
`2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`. `2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`.
`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). `2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
@ -28,12 +28,11 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
### Change log ### Change log
``` ```
* Thu Nov 21 2024 Solar Designer <solar@openwall.com> - 2.34-125.1.el9.security.0.10
- Rebase on 2.34-125.1
* Thu Jun 13 2024 Solar Designer <solar@openwall.com> - 2.34-100.2.el9.security.0.9 * Thu Jun 13 2024 Solar Designer <solar@openwall.com> - 2.34-100.2.el9.security.0.9
- Rebase on 2.34-100.2 - Rebase on 2.34-100.2
[... upstream changes ...]
* Mon May 20 2024 Solar Designer <solar@openwall.com> - 2.34-100.el9.security.0.8 * Mon May 20 2024 Solar Designer <solar@openwall.com> - 2.34-100.el9.security.0.8
- Rebase on 2.34-100 - Rebase on 2.34-100
@ -48,6 +47,8 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
- Rebase on 2.34-83.12 - Rebase on 2.34-83.12
- Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch - Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch
[... upstream changes ...]
* Wed Jan 31 2024 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.4 * Wed Jan 31 2024 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.4
- Harden syslog ident fallback initialization to use at most 64 characters of - Harden syslog ident fallback initialization to use at most 64 characters of
__progname when __libc_enable_secure, as inspired by Qualys' discovery of __progname when __libc_enable_secure, as inspired by Qualys' discovery of
@ -60,6 +61,8 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
- Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's - Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's
(a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2) (a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2)
[... upstream changes ...]
* Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2 * Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits - Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits
as none of their revisions matched this package's set of backports as-is as none of their revisions matched this package's set of backports as-is

View File

@ -2,13 +2,13 @@
## EL9 ## EL9
- Version `0.9.9-1.el9_5.security` - Version `0.9.8-2.el9_4.security`
- Based on upstream version `0.9.9` - Based on upstream version `0.9.8`
## EL8 ## EL8
- Version `0.9.9-1.el8_10.security` - Version `0.9.8-2.el8_10.security`
- Based on upstream version `0.9.9` - Based on upstream version `0.9.8`
### Package summary ### Package summary
@ -18,7 +18,7 @@ More information is available on the [LKRG homepage](https://lkrg.org) and in th
### Usage in Rocky Linux ### Usage in Rocky Linux
Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.5). Once there's a new minor release (e.g., 9.5 is upgraded to 9.6), we'll provide a new build of LKRG accordingly. Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.4). Once there's a new minor release (e.g., 9.4 is upgraded to 9.5), we'll provide a new build of LKRG accordingly.
Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use: Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:
@ -34,7 +34,7 @@ systemctl enable lkrg
### Testing and recovery ### Testing and recovery
Although the current package passed our own testing (on 9.5 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option. Although the current package passed our own testing (on 9.4 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
### Remote logging ### Remote logging
@ -45,9 +45,6 @@ Documentation is also included in there, in `/usr/share/doc/lkrg-logger/LOGGING`
### Change log ### Change log
``` ```
* Wed Oct 23 2024 Solar Designer <solar@openwall.com> 0.9.9-1
- Update to 0.9.9
* Wed May 22 2024 Solar Designer <solar@openwall.com> 0.9.8-2 * Wed May 22 2024 Solar Designer <solar@openwall.com> 0.9.8-2
- Pass direct kernel-devel's build path into make - Pass direct kernel-devel's build path into make
- Drop "BuildRequires: kernel" as we no longer need /lib/modules/*/build - Drop "BuildRequires: kernel" as we no longer need /lib/modules/*/build

View File

@ -2,33 +2,18 @@
## EL9 ## EL9
- Version `8.7p1-43.el9_5.security.0.10` - Version `8.7p1-38.el9_4.security.0.5`
- Based on `8.7p1-43.el9` - Based on `8.7p1-38.el9`
### Changes summary ### Changes summary
- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines) - Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
- Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines) - Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
- Fix [CVE-2024-6409](../issues/CVE-2024-6409.md) - Fix CVE-2024-6387 regreSSHion
### Change log ### Change log
``` ```
* Thu Nov 21 2024 Solar Designer <solar@openwall.com> 8.7p1-43.el9_5.security.0.10
- Rebase on 8.7p1-43
* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.9
- Patch the code to silently ignore GSSAPIKeyExchange when unsupported
* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.8
- Rebase on 8.7p1-38.4
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.7
- Fix CVE-2024-6409
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.6
- Rebase on 8.7p1-38.1
* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5 * Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5
- Fix CVE-2024-6387 regreSSHion - Fix CVE-2024-6387 regreSSHion