yoga: Add Rocky Security SIG repo to address RegreSSHion CVE

etc/kayobe/dnf.yml

@@ -215,6 +215,15 @@ dnf_custom_repos_rocky_9:
     gpgcheck: yes
     username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
     password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
+  security-common:
+    baseurl: "{{ stackhpc_repo_rocky_9_sig_security_common_url }}"
+    description: "Rocky Linux $releasever - SIG Security Common"
+    file: Rocky-SIG-Security-Common
+    gpgkey: "{{ rocky_9_sig_security_gpg_key }}"
+    gpgcheck: yes
+    includepkgs: "openssh*"
+    username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
+    password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
 
 # Whether to enable EPEL repositories. This affects RedHat-based systems only.
 dnf_enable_epel: "{{ dnf_install_epel | bool }}"
@@ -227,6 +236,7 @@ dnf_epel_8_gpg_key_url: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-
 dnf_epel_9_gpg_key_url: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9"
 
 rocky_9_gpg_key: "https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-9"
+rocky_9_sig_security_gpg_key: "https://dl.rockylinux.org/pub/sig/9/security/x86_64/security-common/RPM-GPG-KEY-Rocky-SIG-Security"
 
 # Whether to install the epel-release package. This affects RedHat-based
 # systems only. Default value is 'false'.

etc/kayobe/environments/ci-aio/stackhpc-ci.yml

@@ -70,6 +70,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
 
 # Rocky-and-CI-specific Pulp urls
 stackhpc_include_os_minor_version_in_repo_url: true

etc/kayobe/environments/ci-builder/stackhpc-ci.yml

@@ -95,6 +95,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
 
 # Rocky-and-CI-specific Pulp urls
 stackhpc_include_os_minor_version_in_repo_url: true

etc/kayobe/environments/ci-multinode/stackhpc-ci.yml

@@ -67,6 +67,7 @@ stackhpc_repo_rocky_9_appstream_version: "{{ stackhpc_pulp_repo_rocky_9_appstrea
 stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_pulp_repo_rocky_9_extras_version }}"
 stackhpc_repo_rocky_9_crb_version: "{{ stackhpc_pulp_repo_rocky_9_crb_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_pulp_repo_rocky_9_highavailability_version }}"
+stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
 
 # Rocky-and-CI-specific Pulp urls
 stackhpc_include_os_minor_version_in_repo_url: true

etc/kayobe/pulp-repo-versions.yml

@@ -63,6 +63,7 @@ stackhpc_pulp_repo_rocky_9_3_baseos_version: 20231215T005810
 stackhpc_pulp_repo_rocky_9_3_crb_version: 20231215T005810
 stackhpc_pulp_repo_rocky_9_3_extras_version: 20231211T120328
 stackhpc_pulp_repo_rocky_9_3_highavailability_version: 20231214T005538
+stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240705T092559
 stackhpc_pulp_repo_treasuredata_4_version: 20230903T003752
 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20231019T125502
 stackhpc_pulp_repo_ubuntu_focal_security_version: 20231018T165217

etc/kayobe/pulp.yml

@@ -433,6 +433,12 @@ stackhpc_pulp_rpm_repos:
     base_path: "rocky/9/highavailability/x86_64/os/"
     required: "{{ stackhpc_pulp_sync_rocky_9 | bool }}"
 
+  - name: Rocky Linux 9 - SIG Security Common
+    url: "{{ stackhpc_release_pulp_content_url }}/rocky/sig/9/security/x86_64/security-common/{{ stackhpc_pulp_repo_rocky_9_sig_security_common_version }}"
+    distribution_name: rocky-9-sig-security-common-
+    base_path: "rocky/sig/9/security/x86_64/security-common/"
+    required: "{{ stackhpc_pulp_sync_rocky_9 | bool }}"
+
   # Additional CentOS Stream 9 repositories
   - name: CentOS Stream 9 - NFV OpenvSwitch
     url: "{{ stackhpc_release_pulp_content_url }}/centos/9-stream/nfv/x86_64/openvswitch-2/{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"

etc/kayobe/stackhpc.yml

@@ -210,6 +210,10 @@ stackhpc_repo_rocky_9_extras_version: "{{ stackhpc_repo_distribution }}"
 stackhpc_repo_rocky_9_highavailability_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/{{ stackhpc_rocky_9_url_version }}/highavailability/x86_64/os/{{ stackhpc_repo_rocky_9_highavailability_version }}"
 stackhpc_repo_rocky_9_highavailability_version: "{{ stackhpc_repo_distribution }}"
 
+# Rocky 9 SIG Security Common
+stackhpc_repo_rocky_9_sig_security_common_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/rocky/sig/9/security/x86_64/security-common/{{ stackhpc_repo_rocky_9_sig_security_common_version }}"
+stackhpc_repo_rocky_9_sig_security_common_version: "{{ stackhpc_repo_distribution }}"
+
 # EPEL 9
 stackhpc_repo_epel_9_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/epel/9/Everything/x86_64/{{ stackhpc_repo_epel_9_version }}"
 stackhpc_repo_epel_9_version: "{{ stackhpc_repo_distribution }}"

releasenotes/notes/security-common-openssh-6fbd5a1e95fd66ae.yaml

@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Enables the Rocky Linux 9 SIG Security Common repository, which provides
+    updated OpenSSH packages addressing CVE-2024-6387 (regreSSHion). Other
+    packages available in this repository are currently ignored.