Megjelent a GrSecurity 2.1.3. Aki az RBAC rendszert használja, haladéktalanul frissítsen!Letöltés:
----------
grsecurity-2.1.3-2.4.29-200503070900.patch
grsecurity-2.1.3-2.6.11-200503070900.patch
gradm-2.1.3-200503070918.tar.gz
Bejelentés:
-------------
From: spender@grsecurity.net (Brad Spengler)
To: grsecurity@grsecurity.net
Subject: [grsec] grsecurity 2.1.3 released for 2.4.29/2.6.11 *CRITICAL UPDATE FOR RBAC USERS*
grsecurity 2.1.3 has been released to fix a number of problems found
during a routine audit of grsecurity. Changes in this release include
allowed gradm -u for non-root users in a no-authentication special role,
addition of a missing ptrace hook on amd64, fixed hidden file check that
takes subject inheritance into account, unification of the mmap hook so
it no longer requires a per-arch component, and the breakup of the "O"
subject flag into "O" and "t", where "O" now means to allow writable
library loads for the process, while "t" allows a process to ptrace any
task. The "t" mode should be used sparingly in combination with the
no-ptrace object flag. A bug in PaX that causes a SIGBUS in a task when
SEGMEXEC is enabled but MPROTECT is disabled has been fixed in this
release as well.
During the audit, a critical vulnerability was found in the RBAC system
that effectively gave every subject the "O" flag, allowing a root user
for instance to gain the privileges of any other process through
LD_PRELOAD or ptrace. If you have already upgraded to 2.1.2 and use the
RBAC system, I strongly urge you to upgrade to 2.1.3. To ensure that
problems like this won't occur in the future, I will be developing an
extensive regression test suite for the RBAC system similar to the one
that exists already for non-RBAC features.
Sorry about the timing of this release, but the vuln I discovered is
quite serious, and I'm hoping to catch the people who haven't updated
their machines to 2.1.2 yet due to it being released over the weekend.
-Brad