1. Release Notes for Oracle Linux 8.10
  2. New Features and Changes
  3. Security

Security

The following features, enhancements, and changes related to security are introduced in this Oracle Linux 8 release.

SCAP Security Guide Updated to Version 0.1.72

Updates to the SCAP Security Guide include the following notable changes:

  • Bash remediations are fixed to handle ISO9660 partitions in the fstab.
  • The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
  • The Oracle Linux 8 stig profile has been updated to comply with DISA Oracle Linux 8 STIG - Ver 1, Rel 10.

OpenSSL Protects Against Bleichenbacher-Like Attacks

The OpenSSL TLS toolkit now includes API protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.

You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0") function on the RSA decryption context, but this makes your system more vulnerable.

librdkafka Updated to 1.6.1

The Apache Kafka librdkafka implementation is updated 1.6.1. This is the first major feature release for Oracle Linux 8. The update includes important enhancements and bug fixes listed in the CHANGELOG.md in the librdkafka package.

Important changes includes modified configuration defaults and some deprecated configuration properties. The API (C and C++) and ABI © in this version are compatible with older versions of librdkafka, but some changes to the configuration properties may require changes to existing applications.

libkcapi Updated to Version 1.4.0

The libkcapi library is updated to version 1.4.0. Notable changes include:

  • Added the sm3sum and sm3hmac tools.

  • Added the kcapi_md_sm3 and kcapi_md_hmac_sm3 APIs.

  • Added SM4 convenience functions.

  • Added link-time optimization (LTO ) and LTO regression testing

  • Fixed support for AEAD encryption of an arbitrary size with kcapi-enc.

stunnel Updated to Version 5.71

The stunnel TLS/SSL tunneling service is updated to version 5.71.

Notable changes include:

  • Integration with latest PostgreSQL clients.

  • New protocolHeader service-level option to insert custom connect protocol negotiation headers for software impersonation.

  • New protocolHost option to control the client SMTP protocol negotiation HELO/EHLO value.

  • New client-side protocol = ldap availability.

  • New sessionResume service-level option to control whether a session can be resumed.

  • Extended option to request client certificates in server mode with CApath or CAfile.

  • Improved file reading and logging performance.

  • Added a configurable delay for the retry option.

  • OCSP stapling is requested and verified when verifyChain is set in client mode.

  • OCSP stapling is always available in server mode.

  • Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting OCSPrequire = no.

OpenSSH Adds Authentication Delay Limits

OpenSSH artificially delays responses after login failure to prevent user enumeration attacks. An upper limit on artificial delays is applied when remote authentication takes too long, for example in privilege access management (PAM) processing.

libkcapi Can Target File Names in Hash-Sum Calculations

The libkcapi packages includes a new -T option that specifies target file names in hash-sum calculations. This option must be used with the -c option that specifies the HMAC files and overrides the target file names specified in the HMAC file. For example: 

$ sha256hmac -c <hmac_file> -T <target_file>

opencryptoki Updated to Version 3.22.0

The opencryptoki package is updated to version 3.22.0. Notable changes include:

  • The AES-XTS key type can be used with the CPACF protected keys.

  • Certificate object management.

  • A no-login option to create public sessions.

  • Authentication as the Security Officer (SO).

  • Capability to import and export the Edwards and Montgomery keys.

  • Capability to import RSA-PSS keys and certificates.

  • Validation that the keys AES-XTS are different when they're created or imported.

audit Updated to Version 3.1.2

The audit package is updated to version 3.1.2. Notable changes include:

  • The auparse library now interprets unnamed and anonymous sockets.

  • Added keyword, this-hour, to the ausearch and aureport command start and end options.

  • Added user friendly keywords for signals to the auditctl command.

  • The auparse command is hardened to better handle corrupt logs.

  • The ProtectControlGroups option is disabled by default in the auditd service.

  • Rule checking for the exclude filter is fixed.

  • OPENAT2 field interpretation is improved.

  • The audispd af_unix plugin is moved to a standalone program.

  • The Python binding is updated to disable setting Audit rules from the Python API to resolve an issue in the Simplified Wrapper and Interface Generator (SWIG).

  • Added io_uring asynchronous I/O API capability.

bcrypt Local Users Password Hashing Algorithm

You can now enable the bcrypt password hashing algorithm for local users. To switch to the bcrypt hashing algorithm, you must first create a custom profile and then edit the profile to change the hashing algorithm:

  1. Get the current profile and any enabled features:
    sudo authselect current
    Output might look similar to the following:
    Profile ID: minimal
Enabled features:
- with-faillock
  2. Create a custom profile, myprofile, based on the current Profile ID, minimal:
    sudo authselect create-profile myprofile -b minimal
  3. Enable any features that were enabled in the original profile, for example:
    sudo authselect enable-feature with-faillock
    You might need to run this command several times for each feature that was enabled before.

  4. Edit the configuration files for the profile that you have created to change the algorithm used by pam_unix.so.

    For example, edit /etc/authselect/custom/myprofile/system-auth and /etc/authselect/custom/myprofile/password-auth files by changing the pam_unix.so sha512 setting to pam_unix.so blowfish.

  5. Apply the changes:

    # authselect apply-changes

  6. Change the password for a user by using the passwd command.

  7. In the /etc/shadow file, verify that the hashing algorithm is set to $2b$, indicating that the bcrypt password hashing algorithm is now used.