From 7dee1d1f4a3af9ce5c11af9685663fa93dc27fcf Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Sat, 23 Nov 2024 05:11:06 +0100 Subject: [PATCH] Updates for EL 9.5 --- docs/news.md | 5 +++++ docs/packages/glibc.md | 17 +++++++---------- docs/packages/lkrg.md | 6 +++--- docs/packages/openssh.md | 7 +++++-- 4 files changed, 20 insertions(+), 15 deletions(-) diff --git a/docs/news.md b/docs/news.md index c86cd1e..5efa606 100644 --- a/docs/news.md +++ b/docs/news.md @@ -2,6 +2,11 @@ These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. +## November 23, 2024 + +[glibc](packages/glibc.md) and [openssh](packages/openssh.md) rebased on EL 9.5's, +[lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) rebuilt for EL 9.5. + ## October 23, 2024 [lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) is updated to version 0.9.9, built for both EL 9.4 and 8.10. diff --git a/docs/packages/glibc.md b/docs/packages/glibc.md index 11ed1d1..40a5f94 100644 --- a/docs/packages/glibc.md +++ b/docs/packages/glibc.md @@ -2,8 +2,8 @@ ## EL9 -- Version `2.34-100.2.el9_4.security.0.9` -- Based on `2.34-100.el9_4.2` +- Version `2.34-125.1.el9_5.security.0.10` +- Based on `2.34-125.el9_5.1` ### Changes summary @@ -17,9 +17,9 @@ #### Known-effective vulnerability mitigations and fixes -`2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`. +`2.34-83.12.el9_3.security.0.6` and above includes nscd CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 fixes from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`. -`2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream also included starting with `2.34-100.el9_4.2`. +`2.34-83.12.el9_3.security.0.5` and above includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch, which upstream EL also included starting with `2.34-100.el9_4.2`. `2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). @@ -28,11 +28,12 @@ In general, inclusion of additional security fixes will be "reverted" if and whe ### Change log ``` +* Thu Nov 21 2024 Solar Designer - 2.34-125.1.el9.security.0.10 +- Rebase on 2.34-125.1 + * Thu Jun 13 2024 Solar Designer - 2.34-100.2.el9.security.0.9 - Rebase on 2.34-100.2 -[... upstream changes ...] - * Mon May 20 2024 Solar Designer - 2.34-100.el9.security.0.8 - Rebase on 2.34-100 @@ -47,8 +48,6 @@ In general, inclusion of additional security fixes will be "reverted" if and whe - Rebase on 2.34-83.12 - Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch -[... upstream changes ...] - * Wed Jan 31 2024 Solar Designer - 2.34-83.7.el9.security.0.4 - Harden syslog ident fallback initialization to use at most 64 characters of __progname when __libc_enable_secure, as inspired by Qualys' discovery of @@ -61,8 +60,6 @@ In general, inclusion of additional security fixes will be "reverted" if and whe - Rebase on 2.34-83.7, drop "our" CVE-2023-4527 patch in favor of RH's (a similar rebase was made on Oct 6 in 2.34-60.7.el9.security.0.3 for 9.2) -[... upstream changes ...] - * Mon Oct 2 2023 Solar Designer - 2.34-60.el9.security.0.2 - Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits as none of their revisions matched this package's set of backports as-is diff --git a/docs/packages/lkrg.md b/docs/packages/lkrg.md index 1b6049b..457efe3 100644 --- a/docs/packages/lkrg.md +++ b/docs/packages/lkrg.md @@ -2,7 +2,7 @@ ## EL9 -- Version `0.9.9-1.el9_4.security` +- Version `0.9.9-1.el9_5.security` - Based on upstream version `0.9.9` ## EL8 @@ -18,7 +18,7 @@ More information is available on the [LKRG homepage](https://lkrg.org) and in th ### Usage in Rocky Linux -Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.4). Once there's a new minor release (e.g., 9.4 is upgraded to 9.5), we'll provide a new build of LKRG accordingly. +Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.5). Once there's a new minor release (e.g., 9.5 is upgraded to 9.6), we'll provide a new build of LKRG accordingly. Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use: @@ -34,7 +34,7 @@ systemctl enable lkrg ### Testing and recovery -Although the current package passed our own testing (on 9.4 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option. +Although the current package passed our own testing (on 9.5 and 8.10), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option. ### Remote logging diff --git a/docs/packages/openssh.md b/docs/packages/openssh.md index c7b1360..0bfae38 100644 --- a/docs/packages/openssh.md +++ b/docs/packages/openssh.md @@ -2,8 +2,8 @@ ## EL9 -- Version `8.7p1-38.4.el9_4.security.0.9` -- Based on `8.7p1-38.el9_4.4` +- Version `8.7p1-43.el9_5.security.0.10` +- Based on `8.7p1-43.el9` ### Changes summary @@ -14,6 +14,9 @@ ### Change log ``` +* Thu Nov 21 2024 Solar Designer 8.7p1-43.el9_5.security.0.10 +- Rebase on 8.7p1-43 + * Wed Jul 17 2024 Solar Designer 8.7p1-38.4.el9_4.security.0.9 - Patch the code to silently ignore GSSAPIKeyExchange when unsupported -- 2.43.5