Skip to content

RLC-H 9.7-20260131 Release Notes

RLC-H Version: 9.7-20260131
Release Dates: Dec 15, 2025 to Jan 31, 2026
Previous Version: 9.6-20251028

Release Highlights

  • RLC-H based on Rocky Linux 9.7
  • kernel 5.14.0-611.16.1+2.1.el9_7_ciq
  • LKRG 1.0.0-2.el9.ciqh.0.2
  • glibc 2.34-231.2.el9.ciqh.0.15
  • hardened_malloc 13-4.el9.ciqh
  • OpenSSH 8.7p1-46.el9.ciqh.0.13

Security Updates

CVE Fixes

All CVEs fixed in upstream EL 9.7, most notably upstream fix for CVE-2025-4598 in addition to the full mitigation we had in RLC-H from the start.

Hardening Component Updates

LKRG

LKRG 1.0.0 rebuilt for EL 9.7 kernels.

hardened_malloc

hardened_malloc 13 further updated with transparent compatibility workarounds for PHP packages and modules from the popular Remi's repository, in addition to previously supported PHP builds in our own repositories.

Hardened glibc

Hardened glibc rebased on EL 9.7 glibc 2.34-231.2.

Hardened OpenSSH

Hardened OpenSSH rebased on EL 9.7 OpenSSH 8.7p1-46.

control

control password-hash extended with new setting yescrypt8.

Stronger Password Hashing

The new control password-hash setting yescrypt8 enables yescrypt rounds=8, which uses 8x more time (almost 100ms) and memory (128 MiB) than default implied rounds 5 (16 MiB). This is tuned to meet the 100ms authentication time allowance recommended e.g. in the original scrypt paper, on modern x86-64 CPUs at low system load running an EL9 kernel capable of using transparent huge pages for this task. The result is the strongest password hashes we can currently have within the recommended authentication time allowance.

This is currently offered as a technology preview, and is likely to become our new default in the next update.

Compliance Updates

FIPS Updates

No dedicated FIPS repository is provided for Rocky Linux 9.7 at this time. The modules in our Rocky Linux 9.6 FIPS 140-3 preview repository have been validated by the world’s premier cryptographic validation lab atsec and remain available for Rocky Linux 9.6 deployments.

Upgrade Considerations and Known Issues

Users should expect the following changes to take place on updating/upgrading:

rlc-gpg-keys     noarch     9.7-1.8.el9_7_ciq     rlc-extras-9.x86_64     14 k
     replacing  ciq-rocky-gpg-keys.noarch 9.6-1.1.el9_6_rlc
     replacing  rocky-gpg-keys.noarch 9.7-1.4.el9

rlc-h-release    noarch     9.7-1.9.el9.ciqh      rlc-h-9-x86_64          24 k
     replacing  rocky-release.noarch 9.7-1.4.el9

rlc-repos        noarch     9.7-1.8.el9_7_ciq     rlc-extras-9.x86_64     11 k
     replacing  ciq-rocky-repos.noarch 9.6-1.1.el9_6_rlc

Users may also be prompted to install this signing key:

CIQ Public Repository for Depot Client               12 kB/s | 1.7 kB     00:00
Importing GPG key 0xC7780912:
 Userid     : "CIQ Signing Key V2 <engineering@ciq.co>"
 Fingerprint: 79D5 C67D 0851 F732 8AB2 0015 E825 8450 C778 0912
 From       : https://ciq.com/keys/rpm-gpg-key-ciq
Is this ok [y/N]: y

Our depot package has gone through some changes. These should be transparent, except for STIG images, where the new depot package should be installed explicitly with:

sudo dnf install -y --disablerepo="*" https://depot.ciq.com/dlv2/depot-el9.$(uname -m)/depot.rpm