generated from sig_core/wiki-template
Add per-package pages #6
@ -41,18 +41,12 @@ Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to b
|
||||
|
||||
### Override packages (currently only for EL9)
|
||||
|
||||
- glibc (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package)
|
||||
- openssh (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)
|
||||
- [glibc](packages/glibc.md) (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package)
|
||||
- [openssh](packages/openssh.md) (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)
|
||||
|
||||
The changes are described in more detail in the package changelogs.
|
||||
The changes are described in more detail on the per-package wiki pages linked above, as well as in the package changelogs.
|
||||
More packages/changes are planned, including override packages also for EL8.
|
||||
|
||||
#### Known-effective vulnerability mitigations and fixes
|
||||
|
||||
`glibc-2.34-60.el9_2.security.0.2` (specifically the `.0.2` version!) includes mitigations sufficient to avoid security exposure of [CVE-2023-4911](https://www.openwall.com/lists/oss-security/2023/10/03/2) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL.
|
||||
|
||||
The inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.
|
||||
|
||||
## Source code
|
||||
|
||||
Just like for other Rocky Linux SIGs, the source trees for Security SIG packages are maintained in [per-package git repositories](https://git.rockylinux.org/sig/security/src). Each repository contains branches `r8` and/or `r9` corresponding to target EL version.
|
||||
@ -72,7 +66,9 @@ We hang out in our [Security Mattermost channel](https://chat.rockylinux.org/roc
|
||||
Some of the people particularly active with setting up this SIG so far:
|
||||
|
||||
| Name | Mattermost Name |
|
||||
|----------------|-----------------|
|
||||
|-----------------|-----------------|
|
||||
| Fredrik Nyström | @nscfreny |
|
||||
| Louis Abel | @label |
|
||||
| Neil Hanlon | @neil |
|
||||
| Scott Shinn | @atomicturtle |
|
||||
| Solar Designer | @solardiz |
|
69
docs/packages/glibc.md
Normal file
69
docs/packages/glibc.md
Normal file
@ -0,0 +1,69 @@
|
||||
# Override package: glibc
|
||||
|
||||
## EL9
|
||||
|
||||
- Version `2.34-60.7.el9_2.security.0.3`
|
||||
- Based on `2.34-60.el9_2.7`
|
||||
|
||||
### Changes summary
|
||||
|
||||
- Distrust and/or unset many more environment variables used by current and previous glibc versions when running SUID/SGID/setcap (Owl via ALT Linux)
|
||||
- When `syslog(3)`/`vsyslog(3)` is called by a SUID/SGID/setcap program without a preceding call to `openlog(3)`, don't blindly trust `__progname` for the syslog ident (Owl via ALT Linux)
|
||||
- In `syslog(3)/vsyslog(3)` use `asctime_r(3)+localtime_r(3)` instead of `strftime_r()` so that month names don't depend on current locale settings (Owl via ALT Linux)
|
||||
- In `asprintf(3)/vasprintf(3)` reset the pointer to NULL on error, like BSDs do, so that the caller wouldn't access memory over an uninitialized or stale pointer (ALT Linux)
|
||||
- In `fread(3)/fwrite(3)` check for potential integer overflow (ALT Linux)
|
||||
- In `tmpfile(3)` use the `TMPDIR` environment variable (when not running SUID/SGID/setcap) (ALT Linux)
|
||||
|
||||
#### Known-effective vulnerability mitigations and fixes
|
||||
|
||||
`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](https://www.openwall.com/lists/oss-security/2023/10/03/2) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3`, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
|
||||
|
||||
In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.
|
||||
|
||||
### Change log
|
||||
|
||||
```
|
||||
* Fri Oct 6 2023 Solar Designer <solar@openwall.com> - 2.34-60.7.el9.security.0.3
|
||||
- Rebase on 2.34-60.7, drop "our" CVE-2023-4527 patch in favor of RH's
|
||||
|
||||
* Mon Sep 25 2023 Florian Weimer <fweimer@redhat.com> - 2.34-60.7
|
||||
- Fix memory leak regression in getaddrinfo (RHEL-2425)
|
||||
|
||||
* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.6
|
||||
- CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-2999)
|
||||
|
||||
* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.5
|
||||
- Revert: Always call destructors in reverse constructor order (RHEL-3385)
|
||||
|
||||
* Mon Sep 18 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.34-60.4
|
||||
- CVE-2023-4806 glibc: potential use-after-free in getaddrinfo (RHEL-2425)
|
||||
|
||||
* Fri Sep 15 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.34-60.3
|
||||
- CVE-2023-4813: potential use-after-free in gaih_inet (RHEL-2437)
|
||||
|
||||
* Fri Sep 15 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-60.2
|
||||
- CVE-2023-4527: Stack read overflow in getaddrinfo in no-aaaa mode (#2234715)
|
||||
|
||||
* Wed Sep 13 2023 Florian Weimer <fweimer@redhat.com> - 2.34-60.1
|
||||
- Always call destructors in reverse constructor order (RHEL-3385)
|
||||
|
||||
* Mon Oct 2 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.2
|
||||
- Add glibc-owl-alt-sanitize-env.patch stitched from several ALT Linux commits
|
||||
as none of their revisions matched this package's set of backports as-is
|
||||
- Add glibc-upstream-no-aaaa-CVE-2023-4527.patch based on upstream commit
|
||||
bd77dd7e73e3530203be1c52c8a29d08270cb25d fixing
|
||||
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
|
||||
|
||||
* Tue Sep 26 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.1
|
||||
- Revise the texinfo documentation edit of glibc-2.34-alt-asprintf.patch via
|
||||
glibc-2.34-rocky-asprintf.patch
|
||||
|
||||
* Sat Sep 23 2023 Solar Designer <solar@openwall.com> - 2.34-60.el9.security.0.0
|
||||
- Add some of the patches from ALT Linux as of when they were at 2.34:
|
||||
https://git.altlinux.org/gears/g/glibc.git
|
||||
git show 5fa32fb0f8509f4b2b1105d71b45966dfbadc099 > glibc-2.34-alt-tmpfile.patch
|
||||
git show f97e5d60a6a4c9cb64e3b9ee6f5113969cf07d87 > glibc-2.34-alt-asprintf.patch
|
||||
git show cd45d0f74560325cc48aedb9f56881270ab3dfab > glibc-2.34-alt-libio-bound.patch
|
||||
git show 436eb1017c04aee3a553c2868d00a4b046e5e394 > glibc-2.34-owl-alt-syslog-ident.patch
|
||||
git show 03a86c234873723c26b7e387c498c1332c223968 > glibc-2.34-mjt-owl-alt-syslog-timestamp.patch
|
||||
```
|
23
docs/packages/openssh.md
Normal file
23
docs/packages/openssh.md
Normal file
@ -0,0 +1,23 @@
|
||||
# Override package: openssh
|
||||
|
||||
## EL9
|
||||
|
||||
- Version `8.7p1-30.el9_2.security.0.2`
|
||||
- Based on `8.7p1-30.el9_2`
|
||||
|
||||
### Changes summary
|
||||
|
||||
- Instead of linking against `libsystemd`, load it dynamically in a temporary child process to avoid polluting actual `sshd`'s address space with that library and its many dependencies (shortens `ldd sshd` output from 28 to 20 lines)
|
||||
|
||||
### Change log
|
||||
|
||||
```
|
||||
* Sat Oct 07 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.2
|
||||
- Load libsystemd.so.0, not libsystemd.so, as the latter is only provided by
|
||||
systemd-devel
|
||||
|
||||
* Mon Aug 28 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.1
|
||||
- Instead of linking against libsystemd, load it dynamically in a temporary
|
||||
child process to avoid polluting actual sshd's address space with that
|
||||
library and its many dependencies (shortens "ldd sshd" from 28 to 20 lines)
|
||||
```
|
Loading…
Reference in New Issue
Block a user