From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1P9Gvz-0001N1-Qg for garchives@archives.gentoo.org; Fri, 22 Oct 2010 12:41:24 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1B6A4E05FE; Fri, 22 Oct 2010 12:39:47 +0000 (UTC) Received: from a.mx.whyscream.net (meredith.tomhendrikx.nl [217.149.194.147]) by pigeon.gentoo.org (Postfix) with ESMTP id E56EDE05FE for ; Fri, 22 Oct 2010 12:39:46 +0000 (UTC) Received: from [10.0.2.15] (waalbrug.nijmegen.internl.net [217.149.192.5]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by a.mx.whyscream.net (Postfix) with ESMTPSA id ABBD21002 for ; Fri, 22 Oct 2010 14:39:42 +0200 (CEST) Message-ID: <4CC1860D.4080802@whyscream.net> Date: Fri, 22 Oct 2010 14:39:41 +0200 From: Tom Hendrikx User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.11) Gecko/20101006 Thunderbird/3.1.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Security notice for hardened users. References: <4CC173A4.1080106@gentoo.org> In-Reply-To: <4CC173A4.1080106@gentoo.org> X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig5D2846DA418CE889847BDA3A" X-Archives-Salt: 9b460b61-7e9c-4f9c-beca-991a47c68810 X-Archives-Hash: 4a783fbb00c796d41b0d431cfa3232bb This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5D2846DA418CE889847BDA3A Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 22/10/10 13:21, Anthony G. Basile wrote: > Hi all hardened users. >=20 > On Oct. 19, a local privilege escalation exploit was found [1,2] that > affected hardened kernels on all architectures. For certain > configurations of the hardened kernel, it is possible for a local user > to obtain root privileges. The current Proof-Of-Concept code can be > frustrated by not providing symbol information via /proc/kallsyms or > System.map, but at this time it is unclear if other hardening > features such as CONFIG_PAX_MEMORY_UDEREF provide adequate protection > against variations of the POC which do not need symbols. >=20 > All users are encouraged to upgrade to hardened-sources-2.6.32-r22 > which is currently marked stable on amd64 and x86. It is being fast > tracked on other archs. [3] >=20 > hardened-sources-2.6.35-r4 is also not vulnerable, but cannot be > stabilized yet because of a bug in dhcp which also affects > gentoo-sources-2.6.35-r4. [4] For those who want kernels > .32 and > can live with the minor bug, you can safely use > hardened-sources-2.6.35-r4. >=20 > Later this week, all ebuild for vulnerable kernels will be removed > from the tree, except for hardened-sources-2.6.34-r6 > hardened-sources-2.6.32-r9 and hardened-sources-2.6.28-r9. These will > be kept for continuity. >=20 >=20 > Ref: >=20 > [1] http://www.vsecurity.com/resources/advisory/20101019-1/ >=20 > [2] http://bugs.gentoo.org/show_bug.cgi?id=3D341801 >=20 > [3] http://bugs.gentoo.org/show_bug.cgi?id=3D341915 >=20 > [4] http://bugs.gentoo.org/show_bug.cgi?id=3D334341 >=20 Just to verify: if I understand https://bugs.gentoo.org/show_bug.cgi?id=3D341801 correctly, a secure replacement for (stable) hardened-sources-2.6.34-r6 on amd64 will not be stabilized within a month, as it is awaiting baselayout-2 stabilisation (offtopic: w00t). Or I'd need to downgrade to 2.6.32. For people running baselayout-2 already, there is no reason not to add hardened-sources-2.6.35-r4 to package.keywords and upgrade? -- Regards, Tom --------------enig5D2846DA418CE889847BDA3A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzBhg0ACgkQeEmCqmj6IjY6gQCgtXW/sjAcEBX+97k9wkB+eHWd 7GUAnR6r2w6VgAUbipVPxiZK2Dg5tEXR =dwj2 -----END PGP SIGNATURE----- --------------enig5D2846DA418CE889847BDA3A--