From edc7021a494a9e6cf54d1e7c223100810308eea2 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Tue, 30 Apr 2024 15:42:24 +0200 Subject: [PATCH 1/5] glibc 2.34-83.12.el9_3.security.0.6 nscd CVE fixes --- docs/news.md | 4 ++++ docs/packages/glibc.md | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/news.md b/docs/news.md index 474b67c..3ce64e5 100644 --- a/docs/news.md +++ b/docs/news.md @@ -2,6 +2,10 @@ These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. +## April 30, 2024 + +[glibc](packages/glibc.md) `2.34-83.12.el9_3.security.0.6` includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch. + ## April 18-23, 2024 Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md). diff --git a/docs/packages/glibc.md b/docs/packages/glibc.md index 1a7ff8f..bba06f1 100644 --- a/docs/packages/glibc.md +++ b/docs/packages/glibc.md @@ -2,7 +2,7 @@ ## EL9 -- Version `2.34-83.12.el9_3.security.0.5` +- Version `2.34-83.12.el9_3.security.0.6` - Based on `2.34-83.el9.12` ### Changes summary @@ -17,6 +17,8 @@ #### Known-effective vulnerability mitigations and fixes +`2.34-83.12.el9_3.security.0.6` includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch. + `2.34-83.12.el9_3.security.0.5` includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch. `2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). @@ -26,6 +28,10 @@ In general, inclusion of additional security fixes will be "reverted" if and whe ### Change log ``` +* Tue Apr 30 2024 Solar Designer - 2.34-83.12.el9.security.0.6 +- Add nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes + from upstream glibc 2.34 branch + * Thu Apr 18 2024 Solar Designer - 2.34-83.12.el9.security.0.5 - Rebase on 2.34-83.12 - Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch -- 2.43.5 From 1284f07c2f30d156293aac5688e6d830d0e969bd Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Mon, 20 May 2024 22:06:51 +0200 Subject: [PATCH 2/5] glibc 2.34-100.el9_4.security.0.8 --- docs/packages/glibc.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/packages/glibc.md b/docs/packages/glibc.md index bba06f1..faffeb2 100644 --- a/docs/packages/glibc.md +++ b/docs/packages/glibc.md @@ -2,8 +2,8 @@ ## EL9 -- Version `2.34-83.12.el9_3.security.0.6` -- Based on `2.34-83.el9.12` +- Version `2.34-100.el9_4.security.0.8` +- Based on `2.34-100.el9` ### Changes summary @@ -28,6 +28,12 @@ In general, inclusion of additional security fixes will be "reverted" if and whe ### Change log ``` +* Mon May 20 2024 Solar Designer - 2.34-100.el9.security.0.8 +- Rebase on 2.34-100 + +* Tue May 07 2024 Solar Designer - 2.34-83.12.el9.security.0.7 +- Upstream glibc 2.34 fix "nscd: Use time_t for return type of addgetnetgrentX" + * Tue Apr 30 2024 Solar Designer - 2.34-83.12.el9.security.0.6 - Add nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch @@ -52,11 +58,6 @@ In general, inclusion of additional security fixes will be "reverted" if and whe [... upstream changes ...] -* Fri Oct 6 2023 Solar Designer - 2.34-60.7.el9.security.0.3 -- Rebase on 2.34-60.7, drop "our" CVE-2023-4527 patch in favor of RH's - -[... upstream changes ...] - * Mon Oct 2 2023 Solar Designer - 2.34-60.el9.security.0.2 - Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits as none of their revisions matched this package's set of backports as-is -- 2.43.5 From 381cffb6b8a67bf5b92c327f5d45af557c22fd20 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Mon, 20 May 2024 22:08:55 +0200 Subject: [PATCH 3/5] openssh 8.7p1-38.el9_4.security.0.4 --- docs/packages/openssh.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/packages/openssh.md b/docs/packages/openssh.md index 68e7486..b92a78b 100644 --- a/docs/packages/openssh.md +++ b/docs/packages/openssh.md @@ -2,8 +2,8 @@ ## EL9 -- Version `8.7p1-34.3.el9_3.security.0.3` -- Based on `8.7p1-34.el9_3.3` +- Version `8.7p1-38.el9_4.security.0.4` +- Based on `8.7p1-38.el9` ### Changes summary @@ -13,6 +13,9 @@ ### Change log ``` +* Mon May 20 2024 Solar Designer 8.7p1-38.el9_4.security.0.4 +- Rebase on 8.7p1-38 + * Sat Mar 16 2024 Solar Designer 8.7p1-34.3.el9_3.security.0.3 - Comment out GSSAPI* lines in /etc/ssh/ssh*_config.d/50-redhat.conf and patch the code to silently ignore GSSAPIKexAlgorithms when unsupported (like it is -- 2.43.5 From 5c8b11d987c15a333f55bac526e2b79e7034eb88 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Mon, 20 May 2024 22:16:07 +0200 Subject: [PATCH 4/5] issues/CVE-2024-1086.md: Add EL9 fix info --- docs/issues/CVE-2024-1086.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/issues/CVE-2024-1086.md b/docs/issues/CVE-2024-1086.md index 4fc85b9..aaf39c5 100644 --- a/docs/issues/CVE-2024-1086.md +++ b/docs/issues/CVE-2024-1086.md @@ -16,7 +16,7 @@ Public disclosure date: March 26, 2024 for the above blog post, which made the i ## EL9 -Affected. We will of course rebuild upstream's fix as soon as it arrives. Meanwhile, please refer to the mitigations below. +- Fixed in version: `kernel-5.14.0-427.16.1.el9_4` available May 8, 2024 ## EL8 @@ -25,7 +25,7 @@ Affected. We will of course rebuild upstream's fix as soon as it arrives. Meanwh ## Mitigation -Meanwhile, we recommend two mitigations: +We also recommend two mitigations: - If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root: -- 2.43.5 From 0ff260473b736bd79cc9cb06667cbc87e590d767 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Mon, 20 May 2024 22:30:33 +0200 Subject: [PATCH 5/5] docs/news.md: Updates for 9.4 --- docs/news.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/news.md b/docs/news.md index 3ce64e5..296e2ba 100644 --- a/docs/news.md +++ b/docs/news.md @@ -2,9 +2,20 @@ These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. +## May 20, 2024 + +[glibc](packages/glibc.md) `2.34-100.el9_4.security.0.8` contains all of our changes so far rebased on top of 9.4's `2.34-100`, +which was still missing the iconv and nscd security fixes, so our addition of those is still relevant. + +[openssh](packages/openssh.md) rebased on 9.4's `8.7p1-38`. + +The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL9 fix. + ## April 30, 2024 -[glibc](packages/glibc.md) `2.34-83.12.el9_3.security.0.6` includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch. +Unreleased [glibc](packages/glibc.md) `2.34-83.12.el9_3.security.0.6` includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch. + +This update ended up unreleased because we refocused on 9.4. ## April 18-23, 2024 -- 2.43.5