Re: [gentoo-hardened] Security notice for hardened users.

["Anthony G. Basile" <basile@opensource.dyc.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/22/2010 08:39 AM, Tom Hendrikx wrote:
> Just to verify: if I understand
> https://bugs.gentoo.org/show_bug.cgi?id=341801 correctly, a secure
> replacement for (stable) hardened-sources-2.6.34-r6 on amd64 will not be
> stabilized within a month, as it is awaiting baselayout-2 stabilisation
> (offtopic: w00t). Or I'd need to downgrade to 2.6.32.

That is correct.  When 2.6.35-r4 is stabilized it will be stabilized for
all archs.  2.6.34-r6 was *only* fast track stabilized on amd64 for
another local root exploit bug [1].

> 
> For people running baselayout-2 already, there is no reason not to add
> hardened-sources-2.6.35-r4 to package.keywords and upgrade?

Correct.  Even if you are not using baselayout-2 you can try
h-s-2.6.35-r4 and see if you get bit by the dhcp bug.  If you don't, I
see no reason not to just use it.

I didn't feel it was justifiable to fast track stabilization of two h-s
kernels.  Fast track stabilization is dangerous and in fact, 2.6.34-r6
is an example.  It has a bug that probably would have been caught if we
could have waiting the required 30 days [2].

PLEASE!  Report any bugs in h-s-2.6.32-r22 or h-s-2.6.35-r4 asap so we
can address them.  Ideally stabilized kernels should be bug free.


Ref.

[1] http://bugs.gentoo.org/show_bug.cgi?id=337645

[2] http://bugs.gentoo.org/show_bug.cgi?id=338572

- -- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzBuFYACgkQl5yvQNBFVTVDxgCgkzdK646BGMu8S7gwZ8n1yNen
IuUAnRwuBTXqZqN80DRNCmkE+IMtiaZ3
=ht5V
-----END PGP SIGNATURE-----