Errata in EuroLinux 8, or about the operating system’s security

Errata in EuroLinux 8, or about the operating system’s security

Errata in EuroLinux and in other Enterprise Linuxes is connected with a software package update. Errata are a convenient way to address vulnerabilities where the operational security of the system is indispensable and where we don’t want to introduce new features to an already properly functioning software stack. How do we divide errata and what do they contain?

The word errata come from Latin and colloquially is about corrections of published text, usually due to an error in the publishing process. Errata in EuroLinux and in other Enterprise-class Linux systems is connected with a software package update.

In the system EuroLinux we divide errata into three types:

  • ELSA (EuroLinux Security Advisory) – they contain one or more security fixes and can contain bugfixes and enhancements as well. ELSA is the most important type of errata, which is classified by its severity rating: low, moderate, important or critical, depending on the seriousness of a vulnerability
  • ELBA (EuroLinux Bug Advisory) – they always contain one or more bugfixes and can contain enhancements, but they don’t contain security fixes. Since ELBAs are released as part of bug fixing, they are often considered as more important than ELEAs
  • ELEA (EuroLinux Enhancement Advisory) – they contain one or more enhancements or new functionality and don’t contain bugfixes or security fixes.

The security severity is rated with an already mentioned four-point scale (Critical, Important, Moderate, Low), as well as including a separate base score. These scoring systems provide a prioritized risk assessment to help you understand and schedule upgrades to your systems, enabling informed decisions on the risk each issue places on each environment.

Severity rating

Critical This rating is given to errors that could be easily exploited by a remote unauthenticated attacker and lead to system compromise without requiring user interaction.
Important This rating is given to errors that can easily compromise the confidentiality, integrity or availability of resources. These are the types of vulnerabilities that allow local or authenticated users to gain additional privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication or other controls or allow authenticated remote users to execute arbitrary code.
Moderate This rating is given to flaws that could, under certain circumstances, still lead to some compromise of the confidentiality, integrity or availability of resources. These are the types of vulnerabilities that could have had a Critical or Important impact but are less easily exploited based on a technical evaluation of the flaw, and/or affect unlikely configurations.
Low This rating is given to all other issues that may have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.

How to use errata in EuroLinux

In the latest release of EuroLinux the modules that handle errata have been integrated with the dnf command. As an example, let’s list all the errata available for a non-updated, test EuroLinux 8 installation using the dnf updateinfo list command:

[eurolinux@el8 ~]$ dnf updateinfo list 
Last metadata expiration check: 0:12:54 ago on Sun 27 Mar 2022 11:34:55 PM CEST.
ELSA-2022:0188              Important/Sec. bpftool-4.18.0-348.12.2.el8_5.x86_64
ELSA-2022:0825              Important/Sec. bpftool-4.18.0-348.20.1.el8_5.x86_64
ELEA-2022:0352              enhancement    buildah-1:1.23.1-2.module+el8.5.0+13436+9c05b4ba.x86_64
ELEA-2022:0352              enhancement    conmon-2:2.0.32-1.module+el8.5.0+13852+150547f7.x86_64
ELEA-2022:0352              enhancement    container-selinux-2:2.173.0-1.module+el8.5.0+13852+150547f7.noarch
ELEA-2022:0352              enhancement    containernetworking-plugins-1.0.1-1.module+el8.5.0+13436+9c05b4ba.x86_64
ELEA-2022:0352              enhancement    containers-common-2:1-8.module+el8.5.0+13954+1b78b731.noarch
ELSA-2022:0370              Moderate/Sec.  cryptsetup-2.3.3-4.el8_5.1.x86_64
ELBA-2022:0371              bugfix         libipa_hbac-2.5.2-2.el8_5.4.x86_64
ELBA-2022:0900              bugfix         libsmbclient-4.14.5-10.el8_5.x86_64
ELSA-2022:0332              Critical/Sec.  libsmbclient-4.14.5-9.el8_5.x86_64
(...)

We can limit the output to just security fixes by appending the word security to the end of the previous command:

[eurolinux@el8 ~]$ dnf updateinfo list security
Last metadata expiration check: 0:10:18 ago on Sun 27 Mar 2022 11:34:55 PM CEST.
ELSA-2022:0188 Important/Sec. bpftool-4.18.0-348.12.2.el8_5.x86_64
ELSA-2022:0825 Important/Sec. bpftool-4.18.0-348.20.1.el8_5.x86_64
ELSA-2022:0370 Moderate/Sec.  cryptsetup-2.3.3-4.el8_5.1.x86_64
ELSA-2022:0370 Moderate/Sec.  cryptsetup-libs-2.3.3-4.el8_5.1.x86_64
ELSA-2022:0658 Important/Sec. cyrus-sasl-2.1.27-6.el8_5.x86_64
ELSA-2022:0658 Important/Sec. cyrus-sasl-gssapi-2.1.27-6.el8_5.x86_64
ELSA-2022:0332 Critical/Sec.  samba-client-libs-4.14.5-9.el8_5.x86_64
ELSA-2022:0332 Critical/Sec.  samba-common-4.14.5-9.el8_5.noarch
ELSA-2022:0332 Critical/Sec.  samba-common-libs-4.14.5-9.el8_5.x86_64
ELSA-2022:0894 Moderate/Sec.  vim-minimal-2:8.0.1763-16.el8_5.12.x86_64
ELSA-2022:0366 Moderate/Sec.  vim-minimal-2:8.0.1763-16.el8_5.4.x86_64
(...)

By using the dnf updateinfo info security command we can print information in detail on errata but still narrowed down to security fixes only:

[eurolinux@el8 ~]$ dnf updateinfo info security
Last metadata expiration check: 0:16:41 ago on Sun 27 Mar 2022 11:34:55 PM CEST.
===============================================================================
  Critical: samba security and bug fix update
===============================================================================
  Update ID: ELSA-2022:0332
       Type: security
    Updated: 2022-01-31 16:40:41
       Bugs: 2046146 - CVE-2021-44142 samba: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution (Source: Red Hat)
           : 2046160 - [smb] Segmentation fault when joining the domain [rhel-8.5.0.z] (Source: Red Hat)
           : 2046174 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7x [rhel-8.5.0.z] (Source: Red Hat)
       CVEs: CVE-2021-44142
   Severity: Critical

===============================================================================
  Important: kernel security and bug fix update
===============================================================================
  Update ID: ELSA-2022:0188
       Type: security
    Updated: 2022-01-19 14:59:09
       Bugs: 2034813 - CVE-2021-4155 kernel: xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL (Source: Red Hat)
           : 2040358 - CVE-2022-0185 kernel: fs_context: heap overflow in legacy parameter handling (Source: Red Hat)
       CVEs: CVE-2021-4155
           : CVE-2022-0185
   Severity: Important

===============================================================================
  Important: kernel security, bug fix, and enhancement update
===============================================================================
  Update ID: ELSA-2022:0825
       Type: security
    Updated: 2022-03-10 15:43:03
       Bugs: 2031930 - CVE-2021-0920 kernel: Use After Free in unix_gc() which could result in a local privilege escalation (Source: Red Hat)
           : 2034514 - CVE-2021-4154 kernel: local privilege escalation by exploiting the fsconfig syscall parameter leads to container breakout (Source: Red Hat)
           : 2042404 - CVE-2022-0330 kernel: possible privileges escalation due to missing TLB flush (Source: Red Hat)
           : 2044809 - CVE-2022-22942 kernel: failing usercopy allows for use-after-free exploitation (Source: Red Hat)
           : 2048738 - CVE-2022-0435 kernel: remote stack overflow via kernel panic on systems using TIPC may lead to DoS (Source: Red Hat)
           : 2050237 - CVE-2022-0516 kernel: missing check in ioctl allows kernel memory read/write (Source: Red Hat)
           : 2051505 - CVE-2022-0492 kernel: cgroups v1 release_agent feature may allow privilege escalation (Source: Red Hat)
           : 2060795 - CVE-2022-0847 kernel: improper initialization of the "flags" member of the new pipe_buffer (Source: Red Hat)
       CVEs: CVE-2021-0920
           : CVE-2021-4154
           : CVE-2022-0330
           : CVE-2022-0435
           : CVE-2022-0492
           : CVE-2022-0516
           : CVE-2022-0847
           : CVE-2022-22942
   Severity: Important
(...)
===============================================================================
  Moderate: cryptsetup security update
===============================================================================
  Update ID: ELSA-2022:0370
       Type: security
    Updated: 2022-02-01 21:13:30
       Bugs: 2032401 - CVE-2021-4122 cryptsetup: disable encryption via header rewrite (Source: Red Hat)
       CVEs: CVE-2021-4122
   Severity: Moderate

Having the information on each CVE printed, we can update our system only for that specific CVE with the sudo dnf update --cve CVE-XXXX-XXXXX command, e.g.:

[eurolinux@el8 ~]$ sudo dnf update --cve CVE-2022-22763
Last metadata expiration check: 0:25:31 ago on Sun 27 Mar 2022 11:07:18 PM CEST.
Dependencies resolved.
===============================================================================================================================================================
 Package                           Architecture                     Version                                  Repository                                   Size
===============================================================================================================================================================
Upgrading:
 firefox                           x86_64                           91.7.0-3.el8_5                           certify-appstream                           106 M

Transaction Summary
===============================================================================================================================================================
Upgrade  1 Package

Total download size: 106 M
Is this ok [y/N]: y
Downloading Packages:
firefox-91.7.0-3.el8_5.x86_64.rpm                                                                                              5.0 MB/s | 106 MB     00:21    
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                          5.0 MB/s | 106 MB     00:21     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                       1/1 
  Upgrading        : firefox-91.7.0-3.el8_5.x86_64                                                                                                         1/2 
  Running scriptlet: firefox-91.7.0-3.el8_5.x86_64                                                                                                         1/2 
  Running scriptlet: firefox-91.4.0-1.el8_5.x86_64                                                                                                         2/2 
  Cleanup          : firefox-91.4.0-1.el8_5.x86_64                                                                                                         2/2 
  Running scriptlet: firefox-91.4.0-1.el8_5.x86_64                                                                                                         2/2 
  Running scriptlet: firefox-91.7.0-3.el8_5.x86_64                                                                                                         2/2 
  Running scriptlet: firefox-91.4.0-1.el8_5.x86_64                                                                                                         2/2 
  Verifying        : firefox-91.7.0-3.el8_5.x86_64                                                                                                         1/2 
  Verifying        : firefox-91.4.0-1.el8_5.x86_64                                                                                                         2/2 
Installed products updated.

Upgraded:
  firefox-91.7.0-3.el8_5.x86_64                                                                                                                                

Complete!

or update our system for just a specific errata identifier with the dnf update --advisory ELBA-XXXX:XXXX command, e.g.:

[eurolinux@el8 ~]$ sudo dnf update --advisory ELBA-2022:0893
Last metadata expiration check: 1:29:10 ago on Sun 27 Mar 2022 11:07:18 PM CEST.
Dependencies resolved.
===============================================================================================================================================================
 Package                                   Architecture                   Version                                 Repository                              Size
===============================================================================================================================================================
Upgrading:
 systemd                                   x86_64                         239-51.el8_5.5                          certify-baseos                         3.6 M
 systemd-container                         x86_64                         239-51.el8_5.5                          certify-baseos                         752 k
 systemd-libs                              x86_64                         239-51.el8_5.5                          certify-baseos                         1.1 M
 systemd-pam                               x86_64                         239-51.el8_5.5                          certify-baseos                         478 k
 systemd-udev                              x86_64                         239-51.el8_5.5                          certify-baseos                         1.6 M

Transaction Summary
===============================================================================================================================================================
Upgrade  5 Packages

Total download size: 7.4 M
Is this ok [y/N]: 

We can limit printing the information on errata e.g. only for a bugfix category with the dnf updateinfo list bugfix command:

[eurolinux@el8 ~]$ dnf updateinfo list bugfix
Last metadata expiration check: 0:08:37 ago on Sun 27 Mar 2022 11:34:55 PM CEST.
ELBA-2022:0349 bugfix clevis-15-1.el8_5.1.x86_64
ELBA-2022:0349 bugfix clevis-luks-15-1.el8_5.1.x86_64
ELBA-2022:0367 bugfix cockpit-251.3-1.el8_5.x86_64
ELBA-2022:0367 bugfix cockpit-bridge-251.3-1.el8_5.x86_64
ELBA-2022:0367 bugfix cockpit-system-251.3-1.el8_5.noarch
ELBA-2022:0367 bugfix cockpit-ws-251.3-1.el8_5.x86_64
ELBA-2022:0898 bugfix device-mapper-8:1.02.177-11.el8_5.x86_64
ELBA-2022:0898 bugfix device-mapper-event-8:1.02.177-11.el8_5.x86_64
(...)

With the dnf updateinfo list --sec-severity=XXXXX command, we can print the errata along with specifying a security severity of the fixes:

[eurolinux@el8 ~]$ dnf updateinfo list --sec-severity=Moderate
EuroLinux certify BaseOS                         12 MB/s | 8.8 MB     00:00    
EuroLinux certify AppStream                      16 MB/s |  15 MB     00:00    
EuroLinux certify PowerTools                    7.0 MB/s | 3.2 MB     00:00    
ELSA-2022:0896 Moderate/Sec. glibc-2.28-164.el8_5.3.x86_64
ELSA-2022:0896 Moderate/Sec. glibc-common-2.28-164.el8_5.3.x86_64
ELSA-2022:0896 Moderate/Sec. glibc-devel-2.28-164.el8_5.3.x86_64
ELSA-2022:0896 Moderate/Sec. glibc-headers-2.28-164.el8_5.3.x86_64
ELSA-2022:0896 Moderate/Sec. glibc-langpack-en-2.28-164.el8_5.3.x86_64
ELSA-2022:0886 Moderate/Sec. qemu-guest-agent-15:4.2.0-59.module+el8.5.0+14169+68d2f392.2.x86_64
ELSA-2022:0894 Moderate/Sec. vim-common-2:8.0.1763-16.el8_5.12.x86_64
ELSA-2022:0894 Moderate/Sec. vim-enhanced-2:8.0.1763-16.el8_5.12.x86_64
ELSA-2022:0894 Moderate/Sec. vim-filesystem-2:8.0.1763-16.el8_5.12.noarch
ELSA-2022:0894 Moderate/Sec. vim-minimal-2:8.0.1763-16.el8_5.12.x86_64

We can update our system with only security fixes with the dnf update-minimal –security command:

[eurolinux@el8 ~]$ sudo dnf update-minimal --security
Last metadata expiration check: 0:32:28 ago on Sun 27 Mar 2022 11:07:18 PM CEST.
Dependencies resolved.
===============================================================================================================================================================
 Package                                              Architecture     Version                                               Repository                   Size
===============================================================================================================================================================
Installing:
 kernel                                               x86_64           4.18.0-348.20.1.el8_5                                 certify-baseos              7.0 M
Upgrading:
 bpftool                                              x86_64           4.18.0-348.20.1.el8_5                                 certify-baseos              7.7 M
 cryptsetup                                           x86_64           2.3.3-4.el8_5.1                                       certify-baseos              189 k
 cryptsetup-libs                                      x86_64           2.3.3-4.el8_5.1                                       certify-baseos              473 k
(...)
Installing dependencies:
 kernel-core                                          x86_64           4.18.0-348.20.1.el8_5                                 certify-baseos               37 M
 kernel-modules                                       x86_64           4.18.0-348.20.1.el8_5                                 certify-baseos               29 M

Transaction Summary
===============================================================================================================================================================
Install   3 Packages
Upgrade  64 Packages

Total download size: 140 M
Is this ok [y/N]: 

We can also apply an automated everyday system update with security fixes only by running this command chain:

sudo crontab -l | tee syscron.conf && echo "15 3 * * * dnf update-minimal -y --security" >> syscron.conf && sudo crontab syscron.conf && rm syscron.conf

Each errata’s summary is displayed in the form of a list. This view informs a user immediately on the type, severity rating (in the case of security fixes) and the topic of the errata.

Summary

When configuring and using Enterprise-class Linux systems, security should be a top priority. Errata are a convenient way to address vulnerabilities where the operational security of the system is indispensable and where we don’t want to introduce new features to an already properly functioning software stack. There are many ways to detect and fix security vulnerabilities, but it is errata that allow a system administrator to quickly and efficiently handle this task while remaining transparent and aware of the changes being made to the system.

Authors

The blog articles are written by people from the EuroLinux team. We owe 80% of the content to our developers, the rest is prepared by the sales or marketing department. We make every effort to ensure that the content is the best in terms of content and language, but we are not infallible. If you see anything that needs to be corrected or clarified, we'd love to hear from you.