diff --git a/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch b/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch new file mode 100644 index 0000000..8ad3955 --- /dev/null +++ b/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch @@ -0,0 +1,35 @@ +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 2c685cd..7751a67 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -106,7 +106,15 @@ do_syslog(int pri, char *msg) + * Log the full line, breaking into multiple syslog(3) calls if necessary + */ + fmt = _("%8s : %s"); +- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); ++ ++ ++ if (!sudo_user_name) { ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5); ++ } ++ else { ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); ++ } ++ + for (p = msg; *p != '\0'; ) { + len = strlen(p); + if (len > maxlen) { +@@ -122,7 +130,12 @@ do_syslog(int pri, char *msg) + save = *tmp; + *tmp = '\0'; + +- mysyslog(pri, fmt, sudo_user_name, p); ++ if(!sudo_user_name) { ++ mysyslog(pri, fmt, "NaN", p); ++ } ++ else{ ++ mysyslog(pri, fmt, sudo_user_name, p); ++ } + + *tmp = save; /* restore saved character */ + diff --git a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch deleted file mode 100644 index bf2078a..0000000 --- a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch +++ /dev/null @@ -1,103 +0,0 @@ - -# HG changeset patch -# User Todd C. Miller -# Date 1544201494 25200 -# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5 -# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce -The fix for bug #843 was incomplete and caused pam_end() to be called early. -sudo_pam_approval() must not set the global pam status to an error -value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup() -will call pam_end() before sudo_pam_begin_session(). This resulted -in a NULL PAM handle being used in sudo_pam_begin_session(). - -diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c ---- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700 -+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700 -@@ -210,59 +210,68 @@ - sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) - { - const char *s; -+ int rc, status = AUTH_SUCCESS; - int *pam_status = (int *) auth->data; - debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) - -- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT); -- switch (*pam_status) { -+ rc = pam_acct_mgmt(pamh, PAM_SILENT); -+ switch (rc) { - case PAM_SUCCESS: -- debug_return_int(AUTH_SUCCESS); -+ break; - case PAM_AUTH_ERR: - log_warningx(0, N_("account validation failure, " - "is your account locked?")); -- debug_return_int(AUTH_FATAL); -+ status = AUTH_FATAL; -+ break; - case PAM_NEW_AUTHTOK_REQD: - /* Ignore if user is exempt from password restrictions. */ - if (exempt) -- debug_return_int(AUTH_SUCCESS); -+ break; - /* New password required, try to change it. */ - log_warningx(0, N_("Account or password is " - "expired, reset your password and try again")); -- *pam_status = pam_chauthtok(pamh, -- PAM_CHANGE_EXPIRED_AUTHTOK); -- if (*pam_status == PAM_SUCCESS) -- debug_return_int(AUTH_SUCCESS); -- if ((s = pam_strerror(pamh, *pam_status)) == NULL) -+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); -+ if (rc == PAM_SUCCESS) -+ break; -+ if ((s = pam_strerror(pamh, rc)) == NULL) - s = "unknown error"; - log_warningx(0, - N_("unable to change expired password: %s"), s); -- debug_return_int(AUTH_FAILURE); -+ status = AUTH_FAILURE; -+ break; - case PAM_AUTHTOK_EXPIRED: - /* Ignore if user is exempt from password restrictions. */ - if (exempt) -- debug_return_int(AUTH_SUCCESS); -+ break; - /* Password expired, cannot be updated by user. */ - log_warningx(0, - N_("Password expired, contact your system administrator")); -- debug_return_int(AUTH_FATAL); -+ status = AUTH_FATAL; -+ break; - case PAM_ACCT_EXPIRED: - log_warningx(0, - N_("Account expired or PAM config lacks an \"account\" " - "section for sudo, contact your system administrator")); -- debug_return_int(AUTH_FATAL); -+ status = AUTH_FATAL; -+ break; - case PAM_AUTHINFO_UNAVAIL: - case PAM_MAXTRIES: - case PAM_PERM_DENIED: -- s = pam_strerror(pamh, *pam_status); -+ s = pam_strerror(pamh, rc); - log_warningx(0, N_("PAM account management error: %s"), - s ? s : "unknown error"); -- debug_return_int(AUTH_FAILURE); -+ status = AUTH_FAILURE; -+ break; - default: -- s = pam_strerror(pamh, *pam_status); -+ s = pam_strerror(pamh, rc); - log_warningx(0, N_("PAM account management error: %s"), - s ? s : "unknown error"); -- debug_return_int(AUTH_FATAL); -+ status = AUTH_FATAL; -+ break; - } -+ /* Ignore errors if user is exempt from password restrictions. */ -+ *pam_status = exempt ? PAM_SUCCESS : rc; -+ debug_return_int(status); - } - - int - diff --git a/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch b/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch new file mode 100644 index 0000000..94c46c8 --- /dev/null +++ b/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch @@ -0,0 +1,344 @@ +unchanged: +--- b/plugins/sudoers/auth/pam.c ++++ b/plugins/sudoers/auth/pam.c +@@ -210,59 +210,71 @@ + sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + const char *s; ++ int rc, status = AUTH_SUCCESS; + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) + +- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT); +- switch (*pam_status) { ++ rc = pam_acct_mgmt(pamh, PAM_SILENT); ++ switch (rc) { + case PAM_SUCCESS: +- debug_return_int(AUTH_SUCCESS); ++ break; + case PAM_AUTH_ERR: + log_warningx(0, N_("account validation failure, " + "is your account locked?")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_NEW_AUTHTOK_REQD: + /* Ignore if user is exempt from password restrictions. */ +- if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } + /* New password required, try to change it. */ + log_warningx(0, N_("Account or password is " + "expired, reset your password and try again")); +- *pam_status = pam_chauthtok(pamh, +- PAM_CHANGE_EXPIRED_AUTHTOK); +- if (*pam_status == PAM_SUCCESS) +- debug_return_int(AUTH_SUCCESS); +- if ((s = pam_strerror(pamh, *pam_status)) == NULL) ++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if (rc == PAM_SUCCESS) ++ break; ++ if ((s = pam_strerror(pamh, rc)) == NULL) + s = "unknown error"; + log_warningx(0, + N_("unable to change expired password: %s"), s); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + case PAM_AUTHTOK_EXPIRED: + /* Ignore if user is exempt from password restrictions. */ +- if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } + /* Password expired, cannot be updated by user. */ + log_warningx(0, + N_("Password expired, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_ACCT_EXPIRED: + log_warningx(0, + N_("Account expired or PAM config lacks an \"account\" " + "section for sudo, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_AUTHINFO_UNAVAIL: + case PAM_MAXTRIES: + case PAM_PERM_DENIED: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + default: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + } ++ *pam_status = rc; ++ debug_return_int(status); + } + + int +unchanged: +--- a/doc/sudoers.cat ++++ b/doc/sudoers.cat +@@ -1286,6 +1286,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS + well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end + of this manual. This flag is _o_f_f by default. + ++ pam_acct_mgmt On systems that use PAM for authentication, ssuuddoo will ++ perform PAM account validation for the invoking user by ++ default. The actual checks performed depend on which ++ PAM modules are configured. If enabled, account ++ validation will be performed regardless of whether or ++ not a password is required. This flag is _o_n by ++ default. ++ ++ This setting is only supported by version 1.8.28 or ++ higher. ++ + pam_session On systems that use PAM for authentication, ssuuddoo will + create a new PAM session for the command to be run in. + Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM +unchanged: +--- a/doc/sudoers.man.in ++++ b/doc/sudoers.man.in +@@ -2722,6 +2722,19 @@ This flag is + \fIoff\fR + by default. + .TP 18n ++pam_acct_mgmt ++On systems that use PAM for authentication, ++\fBsudo\fR ++will perform PAM account validation for the invoking user by default. ++The actual checks performed depend on which PAM modules are configured. ++If enabled, account validation will be performed regardless of whether ++or not a password is required. ++This flag is ++\fIon\fR ++by default. ++.sp ++This setting is only supported by version 1.8.28 or higher. ++.TP 18n + pam_session + On systems that use PAM for authentication, + \fBsudo\fR +unchanged: +--- a/doc/sudoers.mdoc.in ++++ b/doc/sudoers.mdoc.in +@@ -2560,6 +2560,18 @@ section at the end of this manual. + This flag is + .Em off + by default. ++.It pam_acct_mgmt ++On systems that use PAM for authentication, ++.Nm sudo ++will perform PAM account validation for the invoking user by default. ++The actual checks performed depend on which PAM modules are configured. ++If enabled, account validation will be performed regardless of whether ++or not a password is required. ++This flag is ++.Em on ++by default. ++.Pp ++This setting is only supported by version 1.8.28 or higher. + .It pam_session + On systems that use PAM for authentication, + .Nm sudo +only in patch2: +unchanged: +--- ./plugins/sudoers/auth/pam.c.pamm 2019-01-11 21:30:17.000000000 +0100 ++++ ./plugins/sudoers/auth/pam.c 2019-08-02 15:14:38.980077956 +0200 +@@ -214,66 +214,68 @@ sudo_pam_approval(struct passwd *pw, sud + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) + +- rc = pam_acct_mgmt(pamh, PAM_SILENT); +- switch (rc) { +- case PAM_SUCCESS: +- break; +- case PAM_AUTH_ERR: +- log_warningx(0, N_("account validation failure, " +- "is your account locked?")); +- status = AUTH_FATAL; +- break; +- case PAM_NEW_AUTHTOK_REQD: +- /* Ignore if user is exempt from password restrictions. */ +- if (exempt) { +- rc = *pam_status; +- break; +- } +- /* New password required, try to change it. */ +- log_warningx(0, N_("Account or password is " +- "expired, reset your password and try again")); +- rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); +- if (rc == PAM_SUCCESS) +- break; +- if ((s = pam_strerror(pamh, rc)) == NULL) +- s = "unknown error"; +- log_warningx(0, +- N_("unable to change expired password: %s"), s); +- status = AUTH_FAILURE; +- break; +- case PAM_AUTHTOK_EXPIRED: +- /* Ignore if user is exempt from password restrictions. */ +- if (exempt) { +- rc = *pam_status; +- break; +- } +- /* Password expired, cannot be updated by user. */ +- log_warningx(0, +- N_("Password expired, contact your system administrator")); +- status = AUTH_FATAL; +- break; +- case PAM_ACCT_EXPIRED: +- log_warningx(0, +- N_("Account expired or PAM config lacks an \"account\" " +- "section for sudo, contact your system administrator")); +- status = AUTH_FATAL; +- break; +- case PAM_AUTHINFO_UNAVAIL: +- case PAM_MAXTRIES: +- case PAM_PERM_DENIED: +- s = pam_strerror(pamh, rc); +- log_warningx(0, N_("PAM account management error: %s"), +- s ? s : "unknown error"); +- status = AUTH_FAILURE; +- break; +- default: +- s = pam_strerror(pamh, rc); +- log_warningx(0, N_("PAM account management error: %s"), +- s ? s : "unknown error"); +- status = AUTH_FATAL; +- break; ++ if (def_pam_acct_mgmt) { ++ rc = pam_acct_mgmt(pamh, PAM_SILENT); ++ switch (rc) { ++ case PAM_SUCCESS: ++ break; ++ case PAM_AUTH_ERR: ++ log_warningx(0, N_("account validation failure, " ++ "is your account locked?")); ++ status = AUTH_FATAL; ++ break; ++ case PAM_NEW_AUTHTOK_REQD: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } ++ /* New password required, try to change it. */ ++ log_warningx(0, N_("Account or password is " ++ "expired, reset your password and try again")); ++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if (rc == PAM_SUCCESS) ++ break; ++ if ((s = pam_strerror(pamh, rc)) == NULL) ++ s = "unknown error"; ++ log_warningx(0, ++ N_("unable to change expired password: %s"), s); ++ status = AUTH_FAILURE; ++ break; ++ case PAM_AUTHTOK_EXPIRED: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } ++ /* Password expired, cannot be updated by user. */ ++ log_warningx(0, ++ N_("Password expired, contact your system administrator")); ++ status = AUTH_FATAL; ++ break; ++ case PAM_ACCT_EXPIRED: ++ log_warningx(0, ++ N_("Account expired or PAM config lacks an \"account\" " ++ "section for sudo, contact your system administrator")); ++ status = AUTH_FATAL; ++ break; ++ case PAM_AUTHINFO_UNAVAIL: ++ case PAM_MAXTRIES: ++ case PAM_PERM_DENIED: ++ s = pam_strerror(pamh, rc); ++ log_warningx(0, N_("PAM account management error: %s"), ++ s ? s : "unknown error"); ++ status = AUTH_FAILURE; ++ break; ++ default: ++ s = pam_strerror(pamh, rc); ++ log_warningx(0, N_("PAM account management error: %s"), ++ s ? s : "unknown error"); ++ status = AUTH_FATAL; ++ break; ++ } ++ *pam_status = rc; + } +- *pam_status = rc; + debug_return_int(status); + } + +only in patch2: +unchanged: +--- ./plugins/sudoers/defaults.c.pamm 2019-08-02 15:14:38.973077882 +0200 ++++ ./plugins/sudoers/defaults.c 2019-08-02 15:14:38.987078030 +0200 +@@ -642,6 +642,7 @@ init_defaults(void) + if ((def_editor = strdup(EDITOR)) == NULL) + goto oom; + def_set_utmp = true; ++ def_pam_acct_mgmt = true; + def_pam_setcred = true; + def_syslog_maxlen = MAXSYSLOGLEN; + def_case_insensitive_user = true; +only in patch2: +unchanged: +--- ./plugins/sudoers/def_data.c.pamm 2019-08-02 15:14:38.976077914 +0200 ++++ ./plugins/sudoers/def_data.c 2019-08-02 15:20:37.592876029 +0200 +@@ -502,6 +502,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Don't fork and wait for the command to finish, just exec it"), + NULL, + }, { ++ "pam_acct_mgmt", T_FLAG, ++ N_("Perform PAM account validation management"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +only in patch2: +unchanged: +--- ./plugins/sudoers/def_data.h.pamm 2019-08-02 15:14:38.976077914 +0200 ++++ ./plugins/sudoers/def_data.h 2019-08-02 15:14:38.987078030 +0200 +@@ -230,6 +230,8 @@ + #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) + #define I_CMND_NO_WAIT 115 + #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) ++#define I_PAM_ACCT_MGMT 116 ++#define def_pam_acct_mgmt (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag) + + enum def_tuple { + never, +only in patch2: +unchanged: +--- ./plugins/sudoers/def_data.in.pamm 2019-08-02 15:14:38.976077914 +0200 ++++ ./plugins/sudoers/def_data.in 2019-08-02 15:14:38.987078030 +0200 +@@ -363,3 +363,6 @@ legacy_group_processing + cmnd_no_wait + T_FLAG + "Don't fork and wait for the command to finish, just exec it" ++pam_acct_mgmt ++ T_FLAG ++ "Perform PAM account validation management" diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 8c4abb5..ce0645b 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.23 -Release: 4%{?dist}.2 +Release: 9%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -52,18 +52,23 @@ Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch # 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch -# 1672876 - Backporting sudo bug with expired passwords -Patch10: sudo-1.8.23-pam-expired-passwords.patch +# 1647678 - sudo access denied with pam_access and pts terminal configurations +# 1672876 - Backporting sudo bug with expired passwords - this is included in in this patch +Patch10: sudo-1.8.23-pam_access-and-terminals.patch + # 1665285 - Problem with sudo-1.8.23 and 'who am i' Patch11: sudo-1.8.23-who-am-i.patch -# 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.7.z] -Patch12: sudo-1.8.28-CVE-strtouid.patch -Patch13: sudo-1.8.28-CVE-strtouid-test.patch +# 1738841 - Crash in do_syslog() while doing sudoedit +Patch12: sudo-1.8.23-fix_empty_username_in_do_syslog.patch + +# 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8] +Patch13: sudo-1.8.28-CVE-strtouid.patch +Patch14: sudo-1.8.28-CVE-strtouid-test.patch -# 1798094 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-7.7.z] -Patch14: sudo-1.8.29-CVE-2019-18634-part1.patch -Patch15: sudo-1.8.29-CVE-2019-18634-part2.patch +# 1798095 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-7.8] +Patch15: sudo-1.8.29-CVE-2019-18634-part1.patch +Patch16: sudo-1.8.29-CVE-2019-18634-part2.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -98,14 +103,16 @@ plugins that use %{name}. %patch8 -p1 -b .pam-mgmt-ignore-errors %patch9 -p1 -b .defaults-double-quote-fix -%patch10 -p1 -b .pam-expired +%patch10 -p1 -b .pam_access-and-terminals + %patch11 -p1 -b .who-am-i +%patch12 -p1 -b .do_syslog-username -%patch12 -p1 -b .CVE-strtouid -%patch13 -p1 -b .CVE-strtouid-test +%patch13 -p1 -b .CVE-strtouid +%patch14 -p1 -b .CVE-strtouid-test -%patch14 -p1 -b .CVE-2019-18634-part1 -%patch15 -p1 -b .CVE-2019-18634-part2 +%patch15 -p1 -b .CVE-2019-18634-part1 +%patch16 -p1 -b .CVE-2019-18634-part2 %build autoreconf -I m4 -fv --install @@ -179,7 +186,6 @@ auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth EOF @@ -189,7 +195,6 @@ auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke -session required pam_limits.so session include sudo EOF @@ -244,15 +249,27 @@ rm -rf %{buildroot} %{_mandir}/man8/sudo_plugin.8* %changelog -* Thu Feb 06 2020 Radovan Sroka 1.8.23-4.2 -- RHEL 7.7.z -- fixed CVE-2019-18634 - Resolves: rhbz#1798094 +* Wed Feb 05 2020 Radovan Sroka - 1.8.23-9 +- RHEL-7.8 +- CVE-2019-18634 + Resolves: rhbz#1798095 -* Wed Oct 16 2019 Radovan Sroka 1.8.23-4.1 -- RHEL-7.7.z +* Thu Oct 17 2019 Marek Tamaskovic 1.8.23-8 +- RHEL-7.8 - fixed CVE-2019-14287 - Resolves: rhbz#1760694 + Resolves: rhbz#1760695 + +* Thu Aug 22 2019 Marek Tamaskovic 1.8.23-7 +- RHEL-7.8 erratum + Resolves: rhbz#1738841 Crash in do_syslog() while doing sudoedit + +* Mon Aug 19 2019 Marek Tamaskovic 1.8.23-6 +- RHEL-7.8 erratum + Resolves: rhbz#1647678 sudo access denied with pam_access and pts terminal configurations + +* Mon Aug 12 2019 Marek Tamaskovic 1.8.23-5 +- RHEL-7.8 erratum + Resolves: rhbz#1711997 sudo is super slow when /etc/security/limits.conf contains many entries * Wed Feb 20 2019 Radovan Sroka 1.8.23-4 - RHEL-7.7 erratum