GrSecurity 2.0.1

Megjelent a GrSecurity patch 2.0.1-es verziója a 2.4.27-es és a 2.6.7-es kernelekhez rengeteg javítással/frissítéssel.

Brad hangúlyozza, hogy a 2.6.7-es verziót használók építsék be az egyéb biztonsági javításokat is, mert a 2.6.8-as kernelhez csak később lesz PaX patch a sok változás miatt.Megjelent a GrSecurity patch 2.0.1-es verziója a 2.4.27-es és a 2.6.7-es kernelekhez.

Brad hangúlyozza, hogy a 2.6.7-es verziót használók építsék be az egyéb biztonsági javításokat is, mert a 2.6.8-as kernelhez csak később lesz PaX patch a sok változás miatt.

Letöltés:

grsecurity-2.0.1-2.4.27.patch

grsecurity-2.0.1-2.6.7.patch

gradm-2.0.1.tar.gz

Sid-et használóknak lett egy repo is fixált libc6-al, egyebekkel:

deb http://grsecurity.net/debian/ unstable main

deb-src http://grsecurity.net/debian/ unstable main

Bejelentés:

From: spender@grsecurity.net

To: grsecurity@grsecurity.net

Subject: [grsec] grsecurity 2.0.1 released for Linux 2.4.27 and 2.6.7

grsecurity 2.0.1 has been released for Linux 2.4.27 and 2.6.7. gradm has

been updated to 2.0.1 for this release. This release includes PaX

updates, proper locking that resolves NULL pointer oopses that some were

experiencing, role de-authentication no longer requires a password, role

name and subject name are displayed with every log if the RBAC system is

enabled, the random TCP source ports feature won't fail before all ports

are used, IP-based role support has been added to special roles,

capability inheritance is fixed, the regular expression matching code

for RBAC objects has been enhanced to support expected results of

filename matching better and also handles [a-Z] style matching, stack

usage has been reduced, kernel memory usage has been reduced, domain

support has been added which allows you to group separate user roles

together in the RBAC system, fixed XFS sleep-on-locking errors in 2.6,

and automatic exploit bruteforcing deterrence, which delays an attack in

services like apache where a parent forks off several children all

sharing the same randomized address space layout and the attacker

attempts to bruteforce the children by exhausting every possible

randomized address. This release also fixes an important security issue

discovered by stealth which allowed an attacker to kill protected

processes in the RBAC system through a system call added recently to

Linux. The chroot restrictions were unaffected by the addition of the

system call. Some naming conventions were also changed, so

/etc/grsec/acl has become /etc/grsec/policy. gradm will automatically

move the file for you. gradm also supports directory including again,

and several bugs have been fixed.

If you're going to use 2.6.7, please also apply fixes for the numerous

security bugs present in that kernel. Due to significant changes in the

"stable" 2.6 tree that break much of PaX, a 2.6.8 patch may not be

coming soon.

Grsecurity has recently enlisted the help of former developer Michael

Dalton who will be focusing on userland changes. These changes will be

made initially for the Debian distribution and can be obtained by adding

the following lines to your /etc/apt/sources.list:

deb http://grsecurity.net/debian/ unstable main

deb-src http://grsecurity.net/debian/ unstable main

As of this writing, glibc 2.3.2 packages for i386 and sparc(64) are

available that include Stefan Esser's unlink sanity check and remove

LD_DEBUG for suid apps to prevent leaking of randomization information.

We will be moving to a new server shortly that will have more space for

these packages.

Thanks to my sponsors and everyone who has donated for making this possible.

Enjoy

-Brad

_______________________________________________

grsecurity mailing list

grsecurity@grsecurity.net

http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity