CVE-2023-38408 in 8-Stream
CVE-2023-38408 in 8-Stream
Hi there,
I'm missing a fix for CVE-2023-38408 in 8-Stream. I doubt it's not vulnerable, but I might be wrong.
Any statement about this?
Thanks!
I'm missing a fix for CVE-2023-38408 in 8-Stream. I doubt it's not vulnerable, but I might be wrong.
Any statement about this?
Thanks!
Re: CVE-2023-38408 in 8-Stream
The last update I see to openssh for 8-Stream is dated in January 2023 so, yes, it's unfixed. Raise a bugzilla on bugzilla.redhat.com. Stream is under RHEL as a version number.
It's a permanent beta and as you just found out, it sometimes lags on security updates.
All of RHEL 8, Rocky8, Alma8 and OEL8 have had this fix for weeks. All are either RHEL or the spiritual successor to CentOS.
CentOS is dead.
Don't use Stream?Any statement about this?
It's a permanent beta and as you just found out, it sometimes lags on security updates.
All of RHEL 8, Rocky8, Alma8 and OEL8 have had this fix for weeks. All are either RHEL or the spiritual successor to CentOS.
CentOS is dead.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CVE-2023-38408 in 8-Stream
Regarding to https://blog.centos.org/2023/04/end-dat ... s-linux-7/
Centos Stream 8 is dead in May 2024. So Stream 8 seem to be a zombie instead. Which is far more dangerous than dead.
I'll think about a migration. It will definitely not be RHEL.
Centos Stream 8 is dead in May 2024. So Stream 8 seem to be a zombie instead. Which is far more dangerous than dead.
I'll think about a migration. It will definitely not be RHEL.
Re: CVE-2023-38408 in 8-Stream
Excuse me, my operating system is CentOS Linux version 8.5. It appears that there is no patch available for the CVE. How should I proceed?
Re: CVE-2023-38408 in 8-Stream
CentOS Linux 8 died at the end of 2021 so you are missing more than just this one fix, you're missing everything in the last 20 months.
The "fix" is to convert your CentOS Linux 8 system to something else. You have a choice of RHEL 8, Rocky 8, Alma 8, OEL 8 which are all rebuilds (or are) RHEL 8. There is also the permanent beta known as CentOS Stream 8. All of the rebuilds have scripts available to convert from CentOS Linux 8 to themselves.
The "fix" is to convert your CentOS Linux 8 system to something else. You have a choice of RHEL 8, Rocky 8, Alma 8, OEL 8 which are all rebuilds (or are) RHEL 8. There is also the permanent beta known as CentOS Stream 8. All of the rebuilds have scripts available to convert from CentOS Linux 8 to themselves.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CVE-2023-38408 in 8-Stream
If one would believe Magnus https://www.linkedin.com/pulse/secret-b ... nus-glantz then CentOS Stream is "ok";
it should still yield a peek into RHEL 8.9 and 8.10 for a while. However, IMHO that "ok" does have a context. "Ok" as preview, not so ok for production.
AFAIK, AlmaLinux does now forage CentOS Stream as one source for the sources. Use of sources is not the same as use of binaries (compiled directly from those sources).
IMHO it is also better, if one can "migrate" by fresh installs & transfer of user data.
Re: CVE-2023-38408 in 8-Stream
But they fix this in every version but 8.5, so weird:roll:TrevorH wrote: ↑2023/08/25 11:31:36CentOS Linux 8 died at the end of 2021 so you are missing more than just this one fix, you're missing everything in the last 20 months.
The "fix" is to convert your CentOS Linux 8 system to something else. You have a choice of RHEL 8, Rocky 8, Alma 8, OEL 8 which are all rebuilds (or are) RHEL 8. There is also the permanent beta known as CentOS Stream 8. All of the rebuilds have scripts available to convert from CentOS Linux 8 to themselves.
Re: CVE-2023-38408 in 8-Stream
CentOS 8.5 was the last version of CentOS Linux 8 that was ever released and it was immediately EOL'ed after release and no more updates have been issued for it.
There was an announcement by Red Hat at the end of 2020 that they were discontinuing support for CentOS Linux 8. It died at the end of 2021 and the last thing that happened before its death was the release of 8.5. It has been unmaintained since then.
You need to switch to a different distribution and should have done so in January 2022 or sooner.
You are missing far more than just this one fix. There have been NO fixes AT ALL for CentOS Linux 8 since January 2022.
There was an announcement by Red Hat at the end of 2020 that they were discontinuing support for CentOS Linux 8. It died at the end of 2021 and the last thing that happened before its death was the release of 8.5. It has been unmaintained since then.
You need to switch to a different distribution and should have done so in January 2022 or sooner.
You are missing far more than just this one fix. There have been NO fixes AT ALL for CentOS Linux 8 since January 2022.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CVE-2023-38408 in 8-Stream
https://access.redhat.com/security/cve/cve-2023-38408
Please visit the website.
https://imgsh.net/a/JdmsHfM.png
The patches for CVE were released by all versions except for 8.3 and 8.5.
Last edited by chan15 on 2023/08/27 20:44:30, edited 1 time in total.