Skip to content

RLC-H 9.6-20251028 Release Notes

RLC-H Version: 9.6-20251028

Changes

Hardening

LKRG updated

  • Based on new upstream release 1.0.0
  • This upstream release incorporates further reliability and performance improvements developed and tested in an effort supported by CIQ

hardened_malloc updated

  • Based on new upstream version 13
  • Rocky Linux specific workarounds for all compatibility issues identified so far (which previously affected pcsd, php, sssd)

Hardened glibc updated

  • Based on new upstream version 2.34-168.el9_6.23
  • Includes a fix for CVE-2025-8058 (double-free after allocation failure in regcomp)

Compliance

Rocky Linux from CIQ Hardened (RLCH) NIST 800-171 variant image

  • Delivering automated compliance for organizations requiring NIST 800-171 certification
  • NIST 800-171 compliance out-of-the-box without manual configuration

Rocky Linux 9.6 FIPS 140-3 preview repository

  • Now fully integrated with our compliance variant build system, enabling FIPS cryptography (lab validation pending) across all security frameworks

  • The CIQ FIPS 9.6 preview repository includes the following modules:

    • Kernel
    • Openssl
      • OpenSSL 3.0.7 FIPS provider
    • Nss
    • GnuTLS
    • Libgcrypt

  • The modules are currently in the validation process with the world’s premier cryptographic validation lab atsec

The compliance variants no longer use the SCN kernel

  • With the addition of CIQ’s FIPS preview kernel the SCN kernel will no longer be the default kernel for RLCH compliant variants

Fix for 2 DISA STIG rules mac hashing

  • Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config
  • Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config