[rpms/haveged] epel8: Update to 1.9.23 — security hardening for semaphore, socket, and file handling

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

From: Jirka Hladky <jhladky@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/haveged] epel8: Update to 1.9.23 — security hardening for semaphore, socket, and file handling
Date: Thu, 18 Jun 2026 01:37:47 GMT	[thread overview]
Message-ID: <178174666792.1.16118028468308605454.rpms-haveged-8c303fa676d0@fedoraproject.org> (raw)

A new commit has been pushed.

Repo   : rpms/haveged
Branch : epel8
Commit : 8c303fa676d091ee27fcd4b06e9a47184a07dbe5
Author : Jirka Hladky <jhladky@redhat.com>
Date   : 2026-06-18T03:37:32+02:00
Stats  : +17/-18 in 4 file(s)
URL    : https://src.fedoraproject.org/rpms/haveged/c/8c303fa676d091ee27fcd4b06e9a47184a07dbe5?branch=epel8

Log:
Update to 1.9.23 — security hardening for semaphore, socket, and file handling

---
diff --git a/.gitignore b/.gitignore
index 7589dc4..e768c53 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@
 /haveged-1.9.12.tar.gz
 /haveged-1.9.13.tar.gz
 /haveged-1.9.14.tar.gz
+/haveged-1.9.23.tar.gz

diff --git a/CVE-2026-41054.patch b/CVE-2026-41054.patch
deleted file mode 100644
index 1315fef..0000000
--- a/CVE-2026-41054.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/src/havegecmd.c b/src/havegecmd.c
-index 9ced105..7abab9e 100644
---- a/src/havegecmd.c
-+++ b/src/havegecmd.c
-@@ -303,6 +303,7 @@ int socket_handler(                /* RETURN: closed file descriptor        */
-       ptr = (unsigned char *)enqry;
-       len = (int)strlen(enqry)+1;
-       safeout(fd, ptr, len);
-+      goto out;
-       }
- 
-    switch (magic[0]) {

diff --git a/haveged.spec b/haveged.spec
index 2da92d6..3de1fe2 100644
--- a/haveged.spec
+++ b/haveged.spec
@@ -1,12 +1,11 @@
 %define dracutlibdir lib/dracut
 Summary:        A Linux entropy source using the HAVEGE algorithm
 Name:           haveged
-Version:        1.9.14
-Release:        2%{?dist}
+Version:        1.9.23
+Release:        1%{?dist}
 License:        GPLv3+
 URL:            https://github.com/jirka-h/haveged
 Source0:        https://github.com/jirka-h/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-Patch0:         CVE-2026-41054.patch
 Requires(post):   systemd
 Requires(preun):  systemd
 Requires(postun): systemd
@@ -42,7 +41,6 @@ Headers and shared object symbolic links for the HAVEGE algorithm
 
 %prep
 %setup -q
-%patch -P 0 -p1
 
 %build
 #autoreconf -fiv
@@ -63,10 +61,12 @@ chmod 0644 COPYING README ChangeLog AUTHORS
 
 #Install systemd service file
 sed -e 's:@SBIN_DIR@:%{_sbindir}:g' -i contrib/Fedora/*service
+sed -i '/^ConditionKernelVersion/d' contrib/Fedora/*service
 sed -e '/ProtectKernelLogs/d' -i contrib/Fedora/%{name}.service
-sed -e '/ProtectHostname/d' -i   contrib/Fedora/%{name}.service 
+sed -e '/ProtectHostname/d' -i   contrib/Fedora/%{name}.service
 install -Dpm 0644 contrib/Fedora/haveged.service %{buildroot}%{_unitdir}/%{name}.service
 install -Dpm 0644 contrib/Fedora/haveged-switch-root.service %{buildroot}%{_unitdir}/%{name}-switch-root.service
+install -Dpm 0644 contrib/Fedora/haveged-once.service %{buildroot}%{_unitdir}/%{name}-once.service
 install -Dpm 0755 contrib/Fedora/haveged-dracut.module %{buildroot}/%{_prefix}/%{dracutlibdir}/modules.d/98%{name}/module-setup.sh
 install -Dpm 0644 contrib/Fedora/90-haveged.rules %{buildroot}%{_udevrulesdir}/90-%{name}.rules
 
@@ -106,6 +106,16 @@ cp -p COPYING README ChangeLog AUTHORS contrib/build/havege_sample.c %{buildroot
 
 
 %changelog
+* Thu Jun 18 2026 Jirka Hladky <hladky.jiri@gmail.com> - 1.9.23-1
+- Update to 1.9.23
+- Security: use O_EXCL with sem_open to prevent semaphore pre-planting attacks
+- Security: fix OOB memory access in safein()/safeout() on socket errors
+- Security: reject command socket connections from different user namespaces
+- Security: use O_NOFOLLOW for PID file to prevent symlink attacks
+- Harden: open random device with O_CLOEXEC, restrict semaphore to 0600
+- Fix stale semaphore recovery after SIGKILL
+- Fix compilation when NO_COMMAND_MODE is defined
+
 * Wed May 20 2026 Jirka Hladky <hladky.jiri@gmail.com> - 1.9.14-2
 - Security fix: CVE-2026-41054 — privilege escalation via command socket
 

diff --git a/sources b/sources
index cea6255..8d59ebd 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (haveged-1.9.14.tar.gz) = bdb6d9de667298d32b474bcbdd5f90c12b870b154b86f8817948de787d378b428bf823234f20129666bd1abced2f154643b5999e43975969f6bba87124650924
+SHA512 (haveged-1.9.23.tar.gz) = 69fe3e024ac213d2cbbbc36e716cc0822929e0a18aabb0802e2cc9818381073fef034b247c3e2b458b6ca3d9bc4c01b86b1954dff2767752ea2b0551958efb61

                 reply	other threads:[~2026-06-18  1:37 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178174666792.1.16118028468308605454.rpms-haveged-8c303fa676d0@fedoraproject.org \
    --to=jhladky@redhat.com \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox