Merge pull request #1154 from stackhpc/zed-yoga-merge

markgoddard · web-flow · commit 8beaadd77bff · 2024-07-11T13:51:38.000+01:00
zed: yoga merge
diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml
@@ -227,7 +227,7 @@ jobs:
         run: mv image-scan-output image-build-logs/image-scan-output
 
       - name: Fail if no images have passed scanning
-        run: if [ $(wc -l < image-build-logs/image-scan-output/clean-images.txt) -le 0 ]; then exit 1; fi
+        run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then exit 1; fi
         if: ${{ !inputs.push-dirty }}
 
       - name: Copy clean images to push-attempt-images list
diff --git a/etc/kayobe/dnf.yml b/etc/kayobe/dnf.yml
@@ -116,6 +116,15 @@ dnf_custom_repos_rocky_9:
     gpgcheck: yes
     username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
     password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
+  security-common:
+    baseurl: "{{ stackhpc_repo_rocky_9_sig_security_common_url }}"
+    description: "Rocky Linux $releasever - SIG Security Common"
+    file: Rocky-SIG-Security-Common
+    gpgkey: "{{ rocky_9_sig_security_gpg_key }}"
+    gpgcheck: yes
+    includepkgs: "openssh*"
+    username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
+    password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
 
 # Whether to enable EPEL repositories. This affects RedHat-based systems only.
 dnf_enable_epel: "{{ dnf_install_epel | bool }}"
@@ -127,6 +136,7 @@ dnf_enable_elrepo_9: "{{ dnf_install_elrepo_9 | bool }}"
 dnf_epel_9_gpg_key_url: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9"
 
 rocky_9_gpg_key: "https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-9"
+rocky_9_sig_security_gpg_key: "https://dl.rockylinux.org/pub/sig/9/security/x86_64/security-common/RPM-GPG-KEY-Rocky-SIG-Security"
 
 # Whether to install the epel-release package. This affects RedHat-based
 # systems only. Default value is 'false'.
diff --git a/etc/kayobe/environments/ci-aio/stackhpc-ci.yml b/etc/kayobe/environments/ci-aio/stackhpc-ci.yml
@@ -50,6 +50,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
 
 # Rocky-and-CI-specific Pulp urls
 stackhpc_include_os_minor_version_in_repo_url: true
diff --git a/etc/kayobe/environments/ci-builder/stackhpc-ci.yml b/etc/kayobe/environments/ci-builder/stackhpc-ci.yml
@@ -70,6 +70,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
 
 # Rocky-and-CI-specific Pulp urls
 stackhpc_include_os_minor_version_in_repo_url: true
diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml b/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml
@@ -47,6 +47,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
 
 # Rocky-and-CI-specific Pulp urls
 stackhpc_include_os_minor_version_in_repo_url: true
diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml
@@ -31,6 +31,7 @@ stackhpc_pulp_repo_rocky_9_3_baseos_version: 20231215T005810
 stackhpc_pulp_repo_rocky_9_3_crb_version: 20231215T005810
 stackhpc_pulp_repo_rocky_9_3_extras_version: 20231211T120328
 stackhpc_pulp_repo_rocky_9_3_highavailability_version: 20231214T005538
+stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240708T235303
 stackhpc_pulp_repo_ubuntu_jammy_security_version: 20231020T074329
 stackhpc_pulp_repo_ubuntu_jammy_version: 20231020T074329
 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20231019T125502
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
@@ -272,6 +272,12 @@ stackhpc_pulp_rpm_repos:
     base_path: "rocky/9/highavailability/x86_64/os/"
     required: "{{ stackhpc_pulp_sync_rocky_9 | bool }}"
 
+  - name: Rocky Linux 9 - SIG Security Common
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/sig/9/security/x86_64/security-common/{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
+    distribution_name: rocky-9-sig-security-common-
+    base_path: "rocky/sig/9/security/x86_64/security-common/"
+    required: "{{ stackhpc_pulp_sync_rocky_9 | bool }}"
+
   # Additional CentOS Stream 9 repositories
   - name: CentOS Stream 9 - NFV OpenvSwitch
     url: "{{ stackhpc_release_pulp_content_url }}/centos/9-stream/nfv/x86_64/openvswitch-2/{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml
@@ -120,6 +120,10 @@ stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_repo_distribution }}"
 stackhpc_repo_rocky_9_highavailability_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_9_url_version }}/highavailability/x86_64/os/{{ stackhpc_repo_rocky_9_highavailability_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_repo_distribution }}"
 
+# Rocky 9 SIG Security Common
+stackhpc_repo_rocky_9_sig_security_common_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/sig/9/security/x86_64/security-common/{{ stackhpc_repo_rocky_9_sig_security_common_version }}"
+stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_repo_distribution }}"
+
 # EPEL 9
 stackhpc_repo_epel_9_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/epel/9/Everything/x86_64/{{ stackhpc_repo_epel_9_version }}"
 stackhpc_repo_epel_9_version: "{{ stackhpc_repo_distribution }}"
diff --git a/releasenotes/notes/rl9-security-common-cve-2024-6409-d36de799a29c3f74.yaml b/releasenotes/notes/rl9-security-common-cve-2024-6409-d36de799a29c3f74.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Updates the Rocky Linux 9 SIG Security Common repository to address
+    `CVE-2024-6409 <https://sig-security.rocky.page/issues/CVE-2024-6409/>`__
+    in OpenSSH.
diff --git a/releasenotes/notes/security-common-openssh-6fbd5a1e95fd66ae.yaml b/releasenotes/notes/security-common-openssh-6fbd5a1e95fd66ae.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Enables the Rocky Linux 9 SIG Security Common repository, which provides
+    updated OpenSSH packages addressing CVE-2024-6387 (regreSSHion). Other
+    packages available in this repository are currently ignored.
