Assorted updates and corrections #16

Merged
neil merged 5 commits from solardiz-patch-14 into main 2023-11-27 13:49:17 +00:00
5 changed files with 42 additions and 40 deletions

View File

@ -18,22 +18,18 @@ dnf install rocky-release-security
Download the release package containing our repository configuration file and package signing public key. Use the version that corresponds to the major version of your EL distro. Download the release package containing our repository configuration file and package signing public key. Use the version that corresponds to the major version of your EL distro.
- [rocky-release-security-9](https://download.rockylinux.org/pub/rocky/9/extras/x86_64/os/Packages/r/rocky-release-security-9-2.el9.noarch.rpm) - [rocky-release-security-9](https://download.rockylinux.org/pub/rocky/9/extras/x86_64/os/Packages/r/rocky-release-security-9-3.el9.noarch.rpm)
- [rocky-release-security-8](https://download.rockylinux.org/pub/rocky/8/extras/x86_64/os/Packages/r/rocky-release-security-8-2.el8.noarch.rpm) - [rocky-release-security-8](https://download.rockylinux.org/pub/rocky/8/extras/x86_64/os/Packages/r/rocky-release-security-8-3.el8.noarch.rpm)
Verify the package file's SHA-256 digest with `sha256sum`. The currently expected digests are: Verify the package file's SHA-256 digest with `sha256sum`. The currently expected digests are:
``` ```
8daf0934c8b5cfce1f5c2dc53ea0118102940bf307c7cc8863ab718696863da6 rocky-release-security-9-2.el9.noarch.rpm 0d0cfcb16379b4c374b45a7a4ec86894f5bbdd977103cc5544be0f6fc2581a2a rocky-release-security-9-3.el9.noarch.rpm
15aebef7257d4ff3c59a3b4e45acf8fae9894a10ddd2c924dfd521033337e96c rocky-release-security-8-2.el8.noarch.rpm 8dc7912f0ab55dff4cb2b1dc9262c22aa89d911cdb680d33213737597d865006 rocky-release-security-8-3.el8.noarch.rpm
``` ```
This isn't as secure as checking the package signature would be _if_ you previously had our package signing public key, but on another distro you probably don't have that yet, so checking the digest against its copy obtained from this separate website is a best-effort measure. This isn't as secure as checking the package signature would be _if_ you previously had our package signing public key, but on another distro you probably don't have that yet, so checking the digest against its copy obtained from this separate website is a best-effort measure.
Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to bypass the dependency check on our `rocky-release` package. In essense, you're manually confirming to `rpm` that you're installing on a compatible distro.
You'll normally install packages from the mirrors, which should just work. However, if there's any issue with the mirrors and you uncomment our `baseurl` line instead, then on non-Rocky you'll need to use `DNF_VAR_sigcontentdir=/pub/sig dnf` in place of simply `dnf`.
## Packages ## Packages
### Extra packages (for EL8 and EL9) ### Extra packages (for EL8 and EL9)

View File

@ -2,8 +2,8 @@
## EL9 ## EL9
- Version `2.34-60.7.el9_2.security.0.3` - Version `2.34-83.7.el9_3.security.0.3`
- Based on `2.34-60.el9_2.7` - Based on `2.34-83.el9.7`
### Changes summary ### Changes summary
@ -16,36 +16,23 @@
#### Known-effective vulnerability mitigations and fixes #### Known-effective vulnerability mitigations and fixes
`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3`, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). `2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on. In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.
### Change log ### Change log
``` ```
* Wed Nov 22 2023 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.3
- Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's
(a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2)
[... upstream changes ...]
* Fri Oct 6 2023 Solar Designer <solar@openwall.com> - 2.34-60.7.el9.security.0.3 * Fri Oct 6 2023 Solar Designer <solar@openwall.com> - 2.34-60.7.el9.security.0.3
- Rebase on 2.34-60.7, drop "our" CVE-2023-4527 patch in favor of RH's - Rebase on 2.34-60.7, drop "our" CVE-2023-4527 patch in favor of RH's
* Mon Sep 25 2023 Florian Weimer <fweimer@redhat.com> - 2.34-60.7 [... upstream changes ...]
- Fix memory leak regression in getaddrinfo (RHEL-2425)
* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.6
- CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-2999)
* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.5
- Revert: Always call destructors in reverse constructor order (RHEL-3385)
* Mon Sep 18 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.34-60.4
- CVE-2023-4806 glibc: potential use-after-free in getaddrinfo (RHEL-2425)
* Fri Sep 15 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.34-60.3
- CVE-2023-4813: potential use-after-free in gaih_inet (RHEL-2437)
* Fri Sep 15 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.2
- CVE-2023-4527: Stack read overflow in getaddrinfo in no-aaaa mode (#2234715)
* Wed Sep 13 2023 Florian Weimer <fweimer@redhat.com> - 2.34-60.1
- Always call destructors in reverse constructor order (RHEL-3385)
* Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2 * Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits - Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits

View File

@ -1,8 +1,13 @@
# Extra package: lkrg # Extra package: lkrg
## EL8 and EL9 ## EL9
- Version `lkrg-0.9.7-4.el9_2.security` - Version `0.9.7-4.el9_3.security`
- Based on upstream version `0.9.7`
## EL8
- Version `0.9.7-4.el8_9.security`
- Based on upstream version `0.9.7` - Based on upstream version `0.9.7`
### Package summary ### Package summary
@ -13,7 +18,7 @@ More information is available on the [LKRG homepage](https://lkrg.org) and in th
### Usage in Rocky Linux ### Usage in Rocky Linux
Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG works across different kernel revisions/builds within the same EL minor release (e.g., 9.2). Once there's a new minor release (e.g., 9.2 is upgraded to 9.3), we'll provide a new build of LKRG accordingly. Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG works across different kernel revisions/builds within the same EL minor release (e.g., 9.3). Once there's a new minor release (e.g., 9.3 is upgraded to 9.4), we'll provide a new build of LKRG accordingly.
Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use: Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:
@ -29,10 +34,12 @@ systemctl enable lkrg
### Testing and recovery ### Testing and recovery
Although the current package passed our own testing (on 8.8 and 9.2), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option. Although the current package passed our own testing (on 9.3 and 8.9), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
### Change log ### Change log
The 0.9.7-4 source package was originally built for (and tested on) 9.2 and 8.8, then rebuilt without source level changes for 9.3 and 8.9 (and re-tested on those versions).
``` ```
* Wed Nov 08 2023 Solar Designer <solar@openwall.com> 0.9.7-4 * Wed Nov 08 2023 Solar Designer <solar@openwall.com> 0.9.7-4
- Add a couple of upstream patches, most notably to fix kINT false positives on - Add a couple of upstream patches, most notably to fix kINT false positives on

View File

@ -2,8 +2,8 @@
## EL9 ## EL9
- Version `8.7p1-30.el9_2.security.0.2` - Version `8.7p1-34.el9_3.security.0.1`
- Based on `8.7p1-30.el9_2` - Based on `8.7p1-34.el9`
### Changes summary ### Changes summary
@ -12,6 +12,9 @@
### Change log ### Change log
``` ```
* Wed Nov 22 2023 Solar Designer <solar@openwall.com> 8.7p1-34.el9_3.security.0.1
- Rebase 8.7p1-30.el9.security.0.2 on 8.7p1-34
* Sat Oct 07 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.2 * Sat Oct 07 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.2
- Load libsystemd.so.0, not libsystemd.so, as the latter is only provided by - Load libsystemd.so.0, not libsystemd.so, as the latter is only provided by
systemd-devel systemd-devel

View File

@ -1,10 +1,15 @@
# Extra package: passwdqc # Extra package: passwdqc
## EL8 and EL9 ## EL9
- Version `2.0.3-2.el9_2.security` - Version `2.0.3-2.el9_2.security`
- Based on upstream version `2.0.3-2` as packaged in Fedora - Based on upstream version `2.0.3-2` as packaged in Fedora
## EL8
- Version `2.0.3-2.el8.security`
- Based on upstream version `2.0.3-2` as packaged in Fedora
### Package summary ### Package summary
`passwdqc` is a password/passphrase strength checking and policy enforcement toolset, including a PAM module (`pam_passwdqc`), command-line programs (`pwqcheck`, `pwqfilter`, and `pwqgen`), and a library (`libpasswdqc`). `passwdqc` is a password/passphrase strength checking and policy enforcement toolset, including a PAM module (`pam_passwdqc`), command-line programs (`pwqcheck`, `pwqfilter`, and `pwqgen`), and a library (`libpasswdqc`).
@ -13,7 +18,7 @@ More information is available on the [passwdqc homepage](https://www.openwall.co
### Usage in Rocky Linux ### Usage in Rocky Linux
There are 4 sub-packages: There are 5 sub-packages:
#### pam_passwdqc #### pam_passwdqc
@ -31,6 +36,10 @@ The `pwqfilter` program searches, creates, or updates binary passphrase filter f
`libpasswdqc` is the underlying library, which may also be used from third-party programs. `libpasswdqc` is the underlying library, which may also be used from third-party programs.
#### libpasswdqc-devel
This package contains development files needed for building passwdqc-aware applications, as well as documentation (man pages) for developing such applications.
#### passwdqc #### passwdqc
`passwdqc` is a meta sub-package that installs (via dependencies) all 3 actual sub-packages above. `passwdqc` is a meta sub-package that installs (via dependencies) the actual sub-packages above, except for `libpasswdqc-devel`.