Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 24 Oct 2016 07:33:34 +0200
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, owl-users@...ts.openwall.com
Subject: Owl security fixes: Linux kernel "Dirty COW", BIND DoS

Hi,

Linux kernel and BIND security updates are now available in Owl-current
and Owl 3.1-stable, documented as follows:

2016/10/23	Package: kernel
SECURITY FIX	Severity: high, local, active
Added a mitigation for the "Dirty COW" Linux kernel privilege escalation
vulnerability (CVE-2016-5195).
References:
http://www.openwall.com/lists/oss-security/2016/10/21/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195

2016/10/17 -
2016/10/21	Package: bind
SECURITY FIX	Severity: low, remote, active
Merged multiple DoS vulnerability fixes from Red Hat's package, most
notably for two easily triggerable assertion failures (CVE-2016-2776,
CVE-2016-2848).
References:
http://www.openwall.com/lists/oss-security/2016/09/27/8
https://kb.isc.org/article/AA-01419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
http://www.openwall.com/lists/oss-security/2016/10/20/7
https://kb.isc.org/article/AA-01433/74/CVE-2016-2848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848

These are currently available as source code changes and as pre-built
packages (in both branches, and for both i686 and x86_64), however there
are no updated ISOs and vztemplates yet.

The "Dirty COW" mitigation is likely non-final and possibly incomplete
(it addresses the MADV_DONTNEED vs. PTRACE_POKE* race, and possibly some
other scenarios), pending a properly tested backport of the official fix
(likely) by Red Hat, but given the urgency of the issue I felt it most
appropriate to start by releasing a non-invasive mitigation like this.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ