generated from sig_core/wiki-template
issues/CVE-2024-2961.md: Add a mitigation #31
@ -23,3 +23,24 @@ Fixed in version: `2.34-83.12.el9_3.security.0.5` available April 18, 2024
|
|||||||
## EL8
|
## EL8
|
||||||
|
|
||||||
Affected. We will of course rebuild upstream's fix as soon as it arrives.
|
Affected. We will of course rebuild upstream's fix as soon as it arrives.
|
||||||
|
|
||||||
|
## Mitigation
|
||||||
|
|
||||||
|
Support for the ISO-2022-CN-EXT character set can be excluded from glibc's iconv(3) by editing `/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf` to comment out the below 3 lines at line 1254 (same line number in EL9 and EL8) and then regenerating the cache file:
|
||||||
|
|
||||||
|
```
|
||||||
|
alias ISO2022CNEXT// ISO-2022-CN-EXT//
|
||||||
|
module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1
|
||||||
|
module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT 1
|
||||||
|
```
|
||||||
|
|
||||||
|
These two steps can be accomplished by running the below commands as root:
|
||||||
|
|
||||||
|
```
|
||||||
|
sed -i -r 's/^(.*ISO-2022-CN-EXT.*)$/#\1/' /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
|
||||||
|
iconvconfig
|
||||||
|
```
|
||||||
|
|
||||||
|
To make sure this has worked as intended, we also recommend that you run `iconv -l | grep ISO-2022-CN-EXT` before and after the above procedure. It should list the ISO-2022-CN-EXT character set before the procedure, but produce empty output afterwards.
|
||||||
|
|
||||||
|
Finally, if you have long-running processes for which the bug matters (such as PHP-FPM), you'll need to restart those.
|
||||||
|
@ -2,10 +2,10 @@
|
|||||||
|
|
||||||
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
||||||
|
|
||||||
## April 18, 2024
|
## April 18-23, 2024
|
||||||
|
|
||||||
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md),
|
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md).
|
||||||
which we now have a status page on.
|
On that CVE status page, we also provide a mitigation for both EL9 and EL8.
|
||||||
|
|
||||||
The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.
|
The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user