Restrict security-common to OpenSSH packages

priteau · priteau · commit 767ce13c06b4 · 2024-07-05T14:15:34.000+02:00
The other updated packages (glibc and microcode_ctl) need more testing.
diff --git a/etc/kayobe/dnf.yml b/etc/kayobe/dnf.yml
@@ -122,6 +122,7 @@ dnf_custom_repos_rocky_9:
     file: Rocky-SIG-Security-Common
     gpgkey: "{{ rocky_9_sig_security_gpg_key }}"
     gpgcheck: yes
+    includepkgs: "openssh*"
     username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
     password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
 
diff --git a/releasenotes/notes/security-common-openssh-6fbd5a1e95fd66ae.yaml b/releasenotes/notes/security-common-openssh-6fbd5a1e95fd66ae.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Enables the Rocky Linux 9 SIG Security Common repository, which provides
+    updated OpenSSH packages addressing CVE-2024-6387 (regreSSHion). Other
+    packages available in this repository are currently ignored.
