generated from sig_core/wiki-template
Compare commits
No commits in common. "main" and "update/cve-2024-6387" have entirely different histories.
main
...
update/cve
@ -34,9 +34,9 @@ This isn't as secure as checking the package signature would be _if_ you previou
|
|||||||
|
|
||||||
### Note
|
### Note
|
||||||
|
|
||||||
Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository for EL9 comes disabled by default out of abundance of caution because of the packages contained within the repository that override the base Rocky Linux packages.
|
Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository comes disabled by default out of an abundance of caution because of the packages contained within the repository which override the base Rocky Linux packages.
|
||||||
|
|
||||||
In order to receive packages from the SIG, either enable the repository (`dnf config-manager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`.
|
In order to receive packages from the SIG, either enable the repository (`dnf config-mangager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`.
|
||||||
|
|
||||||
## Packages
|
## Packages
|
||||||
|
|
||||||
|
@ -1,29 +0,0 @@
|
|||||||
# CVE-2024-6409: openssh
|
|
||||||
|
|
||||||
## Title
|
|
||||||
|
|
||||||
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling
|
|
||||||
|
|
||||||
## Summary
|
|
||||||
|
|
||||||
As [discovered by Solar Designer (CIQ/Rocky Linux)](https://www.openwall.com/lists/oss-security/2024/07/08/2):
|
|
||||||
|
|
||||||
OpenSSH versions 8.7 and 8.8 and the corresponding portable releases call `cleanup_exit()` from `grace_alarm_handler()` when running in the privsep child process. `cleanup_exit()` was not meant to be called from a signal handler and may call other async-signal-unsafe functions. The current understanding is that in those upstream versions `cleanup_exit()` would not actually call async-signal-unsafe functions under those conditions, but with downstream distribution patches it sometimes does. Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to `cleanup_exit()` that exposes the issue. Relevantly, this patch is found in EL 9, where the package is based on OpenSSH 8.7p1.
|
|
||||||
|
|
||||||
This is an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](CVE-2024-6387.md).
|
|
||||||
|
|
||||||
Public disclosure date: July 8, 2024
|
|
||||||
|
|
||||||
## EL9
|
|
||||||
|
|
||||||
- Fixed in version: `8.7p1-38.1.el9_4.security.0.7` available July 8, 2024
|
|
||||||
|
|
||||||
## EL8
|
|
||||||
|
|
||||||
- Unaffected
|
|
||||||
|
|
||||||
## Mitigation
|
|
||||||
|
|
||||||
Set `LoginGraceTime 0` in `/etc/ssh/sshd_config` and do a `systemctl restart sshd`.
|
|
||||||
|
|
||||||
A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks.
|
|
19
docs/news.md
19
docs/news.md
@ -2,25 +2,6 @@
|
|||||||
|
|
||||||
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
||||||
|
|
||||||
## November 23, 2024
|
|
||||||
|
|
||||||
[glibc](packages/glibc.md) and [openssh](packages/openssh.md) rebased on EL 9.5's,
|
|
||||||
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) rebuilt for EL 9.5.
|
|
||||||
|
|
||||||
## October 23, 2024
|
|
||||||
|
|
||||||
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) is updated to version 0.9.9, built for both EL 9.4 and 8.10.
|
|
||||||
|
|
||||||
## August 7, 2024
|
|
||||||
|
|
||||||
[openssh](packages/openssh.md) `8.7p1-38.4.el9_4.security.0.9` for EL9 is a rebase on RH's release with a CVE-2024-6409 fix,
|
|
||||||
plus a further change of our own to suppress warnings about unsupported GSSAPI on systems configured for FIPS crypto-policy.
|
|
||||||
|
|
||||||
## July 8, 2024
|
|
||||||
|
|
||||||
[openssh](packages/openssh.md) `8.7p1-38.1.el9_4.security.0.7` for EL9 adds a fix for [CVE-2024-6409](issues/CVE-2024-6409.md),
|
|
||||||
an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
|
|
||||||
|
|
||||||
## July 1, 2024
|
## July 1, 2024
|
||||||
|
|
||||||
[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
|
[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
|
|
||||||
## EL9
|
## EL9
|
||||||
|
|
||||||
- Version `2.34-125.1.el9_5.security.0.10`
|
- Version `2.34-100.2.el9_4.security.0.9`
|
||||||
- Based on `2.34-125.el9_5.1`
|
- Based on `2.34-100.el9_4.2`
|
||||||
|
|
||||||
### Changes summary
|
### Changes summary
|
||||||
|
|
||||||
@ -17,9 +17,9 @@
|
|||||||
|
|
||||||
#### Known-effective vulnerability mitigations and fixes
|
#### Known-effective vulnerability mitigations and fixes
|
||||||
|
|
||||||
`2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`.
|
`2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`.
|
||||||
|
|
||||||
`2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`.
|
`2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`.
|
||||||
|
|
||||||
`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
|
`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
|
||||||
|
|
||||||
@ -28,12 +28,11 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
|
|||||||
### Change log
|
### Change log
|
||||||
|
|
||||||
```
|
```
|
||||||
* Thu Nov 21 2024 Solar Designer <solar@openwall.com> - 2.34-125.1.el9.security.0.10
|
|
||||||
- Rebase on 2.34-125.1
|
|
||||||
|
|
||||||
* Thu Jun 13 2024 Solar Designer <solar@openwall.com> - 2.34-100.2.el9.security.0.9
|
* Thu Jun 13 2024 Solar Designer <solar@openwall.com> - 2.34-100.2.el9.security.0.9
|
||||||
- Rebase on 2.34-100.2
|
- Rebase on 2.34-100.2
|
||||||
|
|
||||||
|
[... upstream changes ...]
|
||||||
|
|
||||||
* Mon May 20 2024 Solar Designer <solar@openwall.com> - 2.34-100.el9.security.0.8
|
* Mon May 20 2024 Solar Designer <solar@openwall.com> - 2.34-100.el9.security.0.8
|
||||||
- Rebase on 2.34-100
|
- Rebase on 2.34-100
|
||||||
|
|
||||||
@ -48,6 +47,8 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
|
|||||||
- Rebase on 2.34-83.12
|
- Rebase on 2.34-83.12
|
||||||
- Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch
|
- Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch
|
||||||
|
|
||||||
|
[... upstream changes ...]
|
||||||
|
|
||||||
* Wed Jan 31 2024 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.4
|
* Wed Jan 31 2024 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.4
|
||||||
- Harden syslog ident fallback initialization to use at most 64 characters of
|
- Harden syslog ident fallback initialization to use at most 64 characters of
|
||||||
__progname when __libc_enable_secure, as inspired by Qualys' discovery of
|
__progname when __libc_enable_secure, as inspired by Qualys' discovery of
|
||||||
@ -60,6 +61,8 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
|
|||||||
- Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's
|
- Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's
|
||||||
(a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2)
|
(a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2)
|
||||||
|
|
||||||
|
[... upstream changes ...]
|
||||||
|
|
||||||
* Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
|
* Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
|
||||||
- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits
|
- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits
|
||||||
as none of their revisions matched this package's set of backports as-is
|
as none of their revisions matched this package's set of backports as-is
|
||||||
|
@ -2,13 +2,13 @@
|
|||||||
|
|
||||||
## EL9
|
## EL9
|
||||||
|
|
||||||
- Version `0.9.9-1.el9_5.security`
|
- Version `0.9.8-2.el9_4.security`
|
||||||
- Based on upstream version `0.9.9`
|
- Based on upstream version `0.9.8`
|
||||||
|
|
||||||
## EL8
|
## EL8
|
||||||
|
|
||||||
- Version `0.9.9-1.el8_10.security`
|
- Version `0.9.8-2.el8_10.security`
|
||||||
- Based on upstream version `0.9.9`
|
- Based on upstream version `0.9.8`
|
||||||
|
|
||||||
### Package summary
|
### Package summary
|
||||||
|
|
||||||
@ -18,7 +18,7 @@ More information is available on the [LKRG homepage](https://lkrg.org) and in th
|
|||||||
|
|
||||||
### Usage in Rocky Linux
|
### Usage in Rocky Linux
|
||||||
|
|
||||||
Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.5). Once there's a new minor release (e.g., 9.5 is upgraded to 9.6), we'll provide a new build of LKRG accordingly.
|
Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.4). Once there's a new minor release (e.g., 9.4 is upgraded to 9.5), we'll provide a new build of LKRG accordingly.
|
||||||
|
|
||||||
Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:
|
Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:
|
||||||
|
|
||||||
@ -34,7 +34,7 @@ systemctl enable lkrg
|
|||||||
|
|
||||||
### Testing and recovery
|
### Testing and recovery
|
||||||
|
|
||||||
Although the current package passed our own testing (on 9.5 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
|
Although the current package passed our own testing (on 9.4 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
|
||||||
|
|
||||||
### Remote logging
|
### Remote logging
|
||||||
|
|
||||||
@ -45,9 +45,6 @@ Documentation is also included in there, in `/usr/share/doc/lkrg-logger/LOGGING`
|
|||||||
### Change log
|
### Change log
|
||||||
|
|
||||||
```
|
```
|
||||||
* Wed Oct 23 2024 Solar Designer <solar@openwall.com> 0.9.9-1
|
|
||||||
- Update to 0.9.9
|
|
||||||
|
|
||||||
* Wed May 22 2024 Solar Designer <solar@openwall.com> 0.9.8-2
|
* Wed May 22 2024 Solar Designer <solar@openwall.com> 0.9.8-2
|
||||||
- Pass direct kernel-devel's build path into make
|
- Pass direct kernel-devel's build path into make
|
||||||
- Drop "BuildRequires: kernel" as we no longer need /lib/modules/*/build
|
- Drop "BuildRequires: kernel" as we no longer need /lib/modules/*/build
|
||||||
|
@ -2,33 +2,18 @@
|
|||||||
|
|
||||||
## EL9
|
## EL9
|
||||||
|
|
||||||
- Version `8.7p1-43.el9_5.security.0.10`
|
- Version `8.7p1-38.el9_4.security.0.5`
|
||||||
- Based on `8.7p1-43.el9`
|
- Based on `8.7p1-38.el9`
|
||||||
|
|
||||||
### Changes summary
|
### Changes summary
|
||||||
|
|
||||||
- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
|
- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
|
||||||
- Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
|
- Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
|
||||||
- Fix [CVE-2024-6409](../issues/CVE-2024-6409.md)
|
- Fix CVE-2024-6387 regreSSHion
|
||||||
|
|
||||||
### Change log
|
### Change log
|
||||||
|
|
||||||
```
|
```
|
||||||
* Thu Nov 21 2024 Solar Designer <solar@openwall.com> 8.7p1-43.el9_5.security.0.10
|
|
||||||
- Rebase on 8.7p1-43
|
|
||||||
|
|
||||||
* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.9
|
|
||||||
- Patch the code to silently ignore GSSAPIKeyExchange when unsupported
|
|
||||||
|
|
||||||
* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.8
|
|
||||||
- Rebase on 8.7p1-38.4
|
|
||||||
|
|
||||||
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.7
|
|
||||||
- Fix CVE-2024-6409
|
|
||||||
|
|
||||||
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.6
|
|
||||||
- Rebase on 8.7p1-38.1
|
|
||||||
|
|
||||||
* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5
|
* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5
|
||||||
- Fix CVE-2024-6387 regreSSHion
|
- Fix CVE-2024-6387 regreSSHion
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user