security/wiki
8
0
Fork 1
generated from sig_core/wiki-template
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: security:main
Branches Tags
security:main
security:gh-pages
security:update/cve-2024-6387
..
compare: security:update/cve-2024-6387
Branches Tags
security:gh-pages
security:main
security:update/cve-2024-6387

No commits in common. "main" and "update/cve-2024-6387" have entirely different histories.
main ... update/cve

6 changed files with 21 additions and 84 deletions
Show Stats Expand all files Collapse all files

4
docs/index.md
View File

@ -34,9 +34,9 @@ This isn't as secure as checking the package signature would be _if_ you previou
### Note
Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository for EL9 comes disabled by default out of abundance of caution because of the packages contained within the repository that override the base Rocky Linux packages.
Regardless of whether installing on Rocky or another EL distribution, the `security-common` repository comes disabled by default out of an abundance of caution because of the packages contained within the repository which override the base Rocky Linux packages.
In order to receive packages from the SIG, either enable the repository (`dnf config-manager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`.
In order to receive packages from the SIG, either enable the repository (`dnf config-mangager --enable security-common`), or activate for a single DNF transaction with `dnf --enablerepo=security-common install <package>`.
## Packages

29
docs/issues/CVE-2024-6409.md
View File

@ -1,29 +0,0 @@
# CVE-2024-6409: openssh
## Title
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling
## Summary
As [discovered by Solar Designer (CIQ/Rocky Linux)](https://www.openwall.com/lists/oss-security/2024/07/08/2):
OpenSSH versions 8.7 and 8.8 and the corresponding portable releases call `cleanup_exit()` from `grace_alarm_handler()` when running in the privsep child process. `cleanup_exit()` was not meant to be called from a signal handler and may call other async-signal-unsafe functions. The current understanding is that in those upstream versions `cleanup_exit()` would not actually call async-signal-unsafe functions under those conditions, but with downstream distribution patches it sometimes does. Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to `cleanup_exit()` that exposes the issue. Relevantly, this patch is found in EL 9, where the package is based on OpenSSH 8.7p1.
This is an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](CVE-2024-6387.md).
Public disclosure date: July 8, 2024
## EL9
- Fixed in version: `8.7p1-38.1.el9_4.security.0.7` available July 8, 2024
## EL8
- Unaffected
## Mitigation
Set `LoginGraceTime 0` in `/etc/ssh/sshd_config` and do a `systemctl restart sshd`.
A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks.

19
docs/news.md
View File

@ -2,25 +2,6 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## November 23, 2024
[glibc](packages/glibc.md) and [openssh](packages/openssh.md) rebased on EL 9.5's,
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) rebuilt for EL 9.5.
## October 23, 2024
[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) is updated to version 0.9.9, built for both EL 9.4 and 8.10.
## August 7, 2024
[openssh](packages/openssh.md) `8.7p1-38.4.el9_4.security.0.9` for EL9 is a rebase on RH's release with a CVE-2024-6409 fix,
plus a further change of our own to suppress warnings about unsupported GSSAPI on systems configured for FIPS crypto-policy.
## July 8, 2024
[openssh](packages/openssh.md) `8.7p1-38.1.el9_4.security.0.7` for EL9 adds a fix for [CVE-2024-6409](issues/CVE-2024-6409.md),
an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).
## July 1, 2024
[openssh](packages/openssh.md) `8.7p1-38.el9_4.security.0.5` for EL9 adds a fix for [CVE-2024-6387 regreSSHion](issues/CVE-2024-6387.md).

17
docs/packages/glibc.md
View File

@ -2,8 +2,8 @@
## EL9
- Version `2.34-125.1.el9_5.security.0.10`
- Based on `2.34-125.el9_5.1`
- Version `2.34-100.2.el9_4.security.0.9`
- Based on `2.34-100.el9_4.2`
### Changes summary
@ -17,9 +17,9 @@
#### Known-effective vulnerability mitigations and fixes
`2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`.
`2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`.
`2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`.
`2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`.
`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
@ -28,12 +28,11 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
### Change log
```
* Thu Nov 21 2024 Solar Designer <solar@openwall.com> - 2.34-125.1.el9.security.0.10
- Rebase on 2.34-125.1
* Thu Jun 13 2024 Solar Designer <solar@openwall.com> - 2.34-100.2.el9.security.0.9
- Rebase on 2.34-100.2
[... upstream changes ...]
* Mon May 20 2024 Solar Designer <solar@openwall.com> - 2.34-100.el9.security.0.8
- Rebase on 2.34-100
@ -48,6 +47,8 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
- Rebase on 2.34-83.12
- Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch
[... upstream changes ...]
* Wed Jan 31 2024 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.4
- Harden syslog ident fallback initialization to use at most 64 characters of
__progname when __libc_enable_secure, as inspired by Qualys' discovery of
@ -60,6 +61,8 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
- Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's
(a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2)
[... upstream changes ...]
* Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits
as none of their revisions matched this package's set of backports as-is

15
docs/packages/lkrg.md
View File

@ -2,13 +2,13 @@
## EL9
- Version `0.9.9-1.el9_5.security`
- Based on upstream version `0.9.9`
- Version `0.9.8-2.el9_4.security`
- Based on upstream version `0.9.8`
## EL8
- Version `0.9.9-1.el8_10.security`
- Based on upstream version `0.9.9`
- Version `0.9.8-2.el8_10.security`
- Based on upstream version `0.9.8`
### Package summary
@ -18,7 +18,7 @@ More information is available on the [LKRG homepage](https://lkrg.org) and in th
### Usage in Rocky Linux
Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.5). Once there's a new minor release (e.g., 9.5 is upgraded to 9.6), we'll provide a new build of LKRG accordingly.
Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.4). Once there's a new minor release (e.g., 9.4 is upgraded to 9.5), we'll provide a new build of LKRG accordingly.
Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:
@ -34,7 +34,7 @@ systemctl enable lkrg
### Testing and recovery
Although the current package passed our own testing (on 9.5 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
Although the current package passed our own testing (on 9.4 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
### Remote logging
@ -45,9 +45,6 @@ Documentation is also included in there, in `/usr/share/doc/lkrg-logger/LOGGING`
### Change log
```
* Wed Oct 23 2024 Solar Designer <solar@openwall.com> 0.9.9-1
- Update to 0.9.9
* Wed May 22 2024 Solar Designer <solar@openwall.com> 0.9.8-2
- Pass direct kernel-devel's build path into make
- Drop "BuildRequires: kernel" as we no longer need /lib/modules/*/build

21
docs/packages/openssh.md
View File

@ -2,33 +2,18 @@
## EL9
- Version `8.7p1-43.el9_5.security.0.10`
- Based on `8.7p1-43.el9`
- Version `8.7p1-38.el9_4.security.0.5`
- Based on `8.7p1-38.el9`
### Changes summary
- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
- Build without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines)
- Fix [CVE-2024-6409](../issues/CVE-2024-6409.md)
- Fix CVE-2024-6387 regreSSHion
### Change log
```
* Thu Nov 21 2024 Solar Designer <solar@openwall.com> 8.7p1-43.el9_5.security.0.10
- Rebase on 8.7p1-43
* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.9
- Patch the code to silently ignore GSSAPIKeyExchange when unsupported
* Wed Jul 17 2024 Solar Designer <solar@openwall.com> 8.7p1-38.4.el9_4.security.0.8
- Rebase on 8.7p1-38.4
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.7
- Fix CVE-2024-6409
* Mon Jul 08 2024 Solar Designer <solar@openwall.com> 8.7p1-38.1.el9_4.security.0.6
- Rebase on 8.7p1-38.1
* Mon Jul 01 2024 Solar Designer <solar@openwall.com> 8.7p1-38.el9_4.security.0.5
- Fix CVE-2024-6387 regreSSHion