issues/CVE-2024-2961.md: Add a mitigation #31

Merged
neil merged 1 commits from solardiz-patch-29 into main 2024-04-23 13:31:03 +00:00
2 changed files with 24 additions and 3 deletions
Showing only changes of commit 51bbca3793 - Show all commits

View File

@ -23,3 +23,24 @@ Fixed in version: `2.34-83.12.el9_3.security.0.5` available April 18, 2024
## EL8
Affected. We will of course rebuild upstream's fix as soon as it arrives.
## Mitigation
Support for the ISO-2022-CN-EXT character set can be excluded from glibc's iconv(3) by editing `/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf` to comment out the below 3 lines at line 1254 (same line number in EL9 and EL8) and then regenerating the cache file:
```
alias ISO2022CNEXT// ISO-2022-CN-EXT//
module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1
module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT 1
```
These two steps can be accomplished by running the below commands as root:
```
sed -i -r 's/^(.*ISO-2022-CN-EXT.*)$/#\1/' /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
iconvconfig
```
To make sure this has worked as intended, we also recommend that you run `iconv -l | grep ISO-2022-CN-EXT` before and after the above procedure. It should list the ISO-2022-CN-EXT character set before the procedure, but produce empty output afterwards.
Finally, if you have long-running processes for which the bug matters (such as PHP-FPM), you'll need to restart those.

View File

@ -2,10 +2,10 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## April 18, 2024
## April 18-23, 2024
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md),
which we now have a status page on.
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md).
On that CVE status page, we also provide a mitigation for both EL9 and EL8.
The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.