haveged-1.9.25-1.el9
- haveged-1.9.25-1.el9
Update to 1.9.25 — fix initramfs switch-root failure (BZ#2491739).
The v1.9.24 haveged.service with --no-command broke the initramfs switch-root handoff, causing emergency mode on systems where haveged was started but not enabled. Fix: add a separate haveged-initramfs.service for use inside the initramfs.
Update to 1.9.24. Disable command mode in long-running service (--no-command flag). Enable PrivateNetwork=true in systemd service. Remove SELinux policy module (no longer needed without command mode).
Fix rpminspect.yaml: use annocheck failure_severity instead of inspections toggle (annocheck is a security inspection and cannot be disabled via inspections section)
Update to 1.9.23-2: - Add SELinux policy module to allow semaphore creation in /dev/shm - Add rpminspect.yaml to waive pre-existing annocheck false positive
Security fixes in 1.9.23-1: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined
Update to 1.9.23 — security hardening: - Use O_EXCL with sem_open to prevent semaphore pre-planting attacks - Fix OOB memory access in safein()/safeout() on socket errors - Reject command socket connections from different user namespaces - Use O_NOFOLLOW for PID file to prevent symlink attacks - Open random device with O_CLOEXEC, restrict semaphore to 0600 - Fix stale semaphore recovery after SIGKILL - Fix compilation when NO_COMMAND_MODE is defined