CVE-2023-38408 in 8-Stream

[megabreit]

Hi there,

I'm missing a fix for CVE-2023-38408 in 8-Stream. I doubt it's not vulnerable, but I might be wrong.
Any statement about this?

Thanks!

[TrevorH]

The last update I see to openssh for 8-Stream is dated in January 2023 so, yes, it's unfixed. Raise a bugzilla on bugzilla.redhat.com. Stream is under RHEL as a version number.

Any statement about this?

Don't use Stream?

It's a permanent beta and as you just found out, it sometimes lags on security updates.

All of RHEL 8, Rocky8, Alma8 and OEL8 have had this fix for weeks. All are either RHEL or the spiritual successor to CentOS.

CentOS is dead.

[megabreit]

Regarding to https://blog.centos.org/2023/04/end-dat ... s-linux-7/

Centos Stream 8 is dead in May 2024. So Stream 8 seem to be a zombie instead. Which is far more dangerous than dead.

I'll think about a migration. It will definitely not be RHEL.

[chan15]

Excuse me, my operating system is CentOS Linux version 8.5. It appears that there is no patch available for the CVE. How should I proceed?

[TrevorH]

CentOS Linux 8 died at the end of 2021 so you are missing more than just this one fix, you're missing everything in the last 20 months.

The "fix" is to convert your CentOS Linux 8 system to something else. You have a choice of RHEL 8, Rocky 8, Alma 8, OEL 8 which are all rebuilds (or are) RHEL 8. There is also the permanent beta known as CentOS Stream 8. All of the rebuilds have scripts available to convert from CentOS Linux 8 to themselves.

[jlehtone]

Centos Stream 8 is dead in May 2024. So Stream 8 seem to be a zombie instead. Which is far more dangerous than dead.

I'll think about a migration. It will definitely not be RHEL.

If one would believe Magnus https://www.linkedin.com/pulse/secret-b ... nus-glantz then CentOS Stream is "ok";
it should still yield a peek into RHEL 8.9 and 8.10 for a while. However, IMHO that "ok" does have a context. "Ok" as preview, not so ok for production.

AFAIK, AlmaLinux does now forage CentOS Stream as one source for the sources. Use of sources is not the same as use of binaries (compiled directly from those sources).


IMHO it is also better, if one can "migrate" by fresh installs & transfer of user data.

[chan15]

CentOS Linux 8 died at the end of 2021 so you are missing more than just this one fix, you're missing everything in the last 20 months.

The "fix" is to convert your CentOS Linux 8 system to something else. You have a choice of RHEL 8, Rocky 8, Alma 8, OEL 8 which are all rebuilds (or are) RHEL 8. There is also the permanent beta known as CentOS Stream 8. All of the rebuilds have scripts available to convert from CentOS Linux 8 to themselves.

But they fix this in every version but 8.5, so weird:roll:

[TrevorH]

CentOS 8.5 was the last version of CentOS Linux 8 that was ever released and it was immediately EOL'ed after release and no more updates have been issued for it.

There was an announcement by Red Hat at the end of 2020 that they were discontinuing support for CentOS Linux 8. It died at the end of 2021 and the last thing that happened before its death was the release of 8.5. It has been unmaintained since then.

You need to switch to a different distribution and should have done so in January 2022 or sooner.

You are missing far more than just this one fix. There have been NO fixes AT ALL for CentOS Linux 8 since January 2022.

[jlehtone]

But they fix this in every version but 8.5, so weird:roll:

Who are "they" and what are those "every version"?

[chan15]

But they fix this in every version but 8.5, so weird:roll:

Who are "they" and what are those "every version"?

https://access.redhat.com/security/cve/cve-2023-38408

Please visit the website.

https://imgsh.net/a/JdmsHfM.png

The patches for CVE were released by all versions except for 8.3 and 8.5.