Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Dec 2010 05:30:02 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, owl-users@...ts.openwall.com
Subject: [openwall-announce] new Owl ISOs, OpenVZ templates, packages & kernel (CVE-2010-4258 fix and a lot more)

Hi,

I've just released new Owl-current ISOs, OpenVZ container templates, and
freshly rebuilt package sets for i686 and x86-64.  This might be the
last Owl-current snapshot before we make our 3.0 release, so please test
extensively and report both successes and failures (in some detail). ;-)

The Owl homepage has direct download links for the ISOs:

http://www.openwall.com/Owl/

Currently, these point to the already-updated French mirror (also fast
from the US).  I intend to re-point them to the mirror at kernel.org
once that gets updated (it should be updated in an hour from now).

Compared to the September 24 snapshot, the Linux/OpenVZ kernel has once
again been updated to OpenVZ's latest from their "RHEL5 testing" branch
(2.6.18-194.26.1.el5.028stab079.1), with many additional security fixes
and security hardening measures added on top of it.  This includes a fix
for "dangerous interaction between clear_child_tid, set_fs(), and kernel
oopses" (CVE-2010-4258) discovered by Nelson Elhage of Ksplice:

http://www.openwall.com/lists/oss-security/2010/12/02/3
http://www.openwall.com/lists/oss-security/2010/12/02/7
http://www.openwall.com/lists/oss-security/2010/12/09/14

and a fix for partial mmap_min_addr bypass via install_special_mapping()
discovered by Tavis Ormandy of Google Security Team (no CVE id yet,
there will likely be one by tomorrow):

http://www.openwall.com/lists/oss-security/2010/12/09/12
http://www.openwall.com/lists/oss-security/2010/12/09/13

The latter is currently known to allow for mapping just one page below
mmap_min_addr, which was not enough to affect Owl "for real" due to our
setting of mmap_min_addr to 96 KB in /etc/sysctl.conf.  Nevertheless, we
have now introduced the extra checks proposed by Tavis and propagated
the safer default of 96 KB (vs. Red Hat's 4 KB) into our kernel patch
(not relying on /etc/sysctl.conf alone anymore).

Additionally, many security-relevant patches and an ext4 mount
reliability fix have been merged from 2.6.18-236.el5 (Red Hat's testing
kernel).  Most of these are fixes for infoleak bugs discovered by Dan
Rosenberg of Virtual Security Research, as well as a couple discovered
by Vasiliy Kulikov of our team.  Most of them were in relatively obscure
subsystems that are not exposed on typical Owl installs.

Finally, Dan Rosenberg's patch introducing the dmesg_restrict sysctl and
CONFIG_SECURITY_DMESG_RESTRICT (enabled on Owl by default) has been
merged (via Red Hat's 2.6.18-236.el5).

Many userland packages have been updated to new upstream versions:
binutils, hdparm, ed, man-pages, diffstat, flex, ncurses, VIM,
Linux-PAM, GnuPG, cdrkit, iptables, SysVinit, smartmontools, lftp, xz,
and Postfix.  In the case of binutils, we updated to 2.20.51.0.11 in
September - October (this involved some fixes to other packages).
We did not update to 2.21 that was released yesterday yet.

The Linux-PAM update adds important security fixes to pam_env, pam_mail,
and pam_xauth (CVE-2010-3316, CVE-2010-3435, CVE-2010-3430, and
CVE-2010-3431; issues discovered by Sebastian Krahmer of SuSE, Tim
Brown, and some final bits by me).  None of these modules were ever in
use on Owl by default, but we did provide them (and we still do).

Finally, many minor enhancements to various parts of Owl have been made,
including to bootup, shutdown, and the installer ("safe" boot label for
machines that have problems with ACPI support), default shell prompts
with bash and tcsh, CVS (a minor potentially security-relevant change
fixing CVE-2010-3846), and BIND (many extra sample directives and
comments in the default configuration file).

This round of updates is mostly due to work by Vasiliy Kulikov (most
package updates), Dmitry V. Levin (the Linux-PAM fixes), and me.

Please refer to the Owl-current change log for some detail different
from the above (e.g., specific upstream version numbers we updated to,
additional external links on the security issues):

http://www.openwall.com/Owl/CHANGES-current.shtml

As usual, feedback is welcome.

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ