Hi, A couple of days ago, I've released a new revision of the kernel patch, updated to Linux 2.4.37.5: http://www.openwall.com/linux/ (and I similarly released updates to all other minor revisions of Linux 2.4.37.x before, some of which I neglected to announce in here). The important security-relevant changes made in the 2.4.37.x kernels and in the -ow patches are briefly described in news items on the above web page. Specifically, the 2.4.37.5 kernel adds a fix for a NULL pointer dereference bug (which, as far as I'm aware, was not exploitable into privilege escalation as long as the vm.mmap_min_addr restriction was enabled and working), whereas the -ow patch to it adds a fix for a local information leak affecting 64-bit kernel builds (not yet fixed upstream in 2.4, will likely be fixed in the next upstream revision). 2.4.37.3-ow1 and then 2.4.37.4 introduced a hardening measure against a vm.mmap_min_addr bypass that could have worked via a combination of the "personality" feature and certain improperly designed SUID-root programs (only one example is known to me so far - pulseaudio). As far as I'm aware, on 2.4 kernels this bypass could have worked on x86_64 kernel builds, but not on most/all other architectures (including definitely not on 32-bit x86 builds). Finally, the 2.4.37.3 kernel release added the "-fno-delete-null-pointer-checks" option to gcc invocations, which was important to reduce the impact of a class of kernel bugs (which are yet to be found and fixed individually, but are known to exist in general) and added several security-relevant fixes to the RTL-8169 NIC driver. (Linux 2.4.37.2-ow1 and earlier were announced in here before, so I'll stop documenting the changes at this point.) There are new ISO images of Owl-current (for x86 and x86-64) available on our FTP mirrors: http://www.openwall.com/Owl/DOWNLOAD.shtml -rw-r--r-- 1 ftp ftp 449344077 Aug 23 06:44 Owl-current-20090823-i586.iso.gz -rw-r--r-- 1 ftp ftp 452960143 Aug 23 10:00 Owl-current-20090823-x86_64.iso.gz These use the Linux 2.4.37.5-ow1 kernel, and they contain various package updates that we made lately: http://www.openwall.com/Owl/CHANGES-current.shtml We've been generating new Owl-current ISOs every 1-2 weeks lately. Since the last one I announced in here, we've made major changes to our packages of vsftpd, BIND, chkconfig, groff, logrotate, mktemp, findutils, tar - as well as minor changes to other packages and parts of Owl - and indeed we've updated the kernel. Alexander -- To unsubscribe, e-mail owl-users-unsubscribe_at_private and reply to the automated confirmation request that will be sent to you.Received on Tue Aug 25 2009 - 01:59:36 PDT
This archive was generated by hypermail 2.2.0 : Tue Aug 25 2009 - 01:59:59 PDT