Date: Fri, 10 Dec 2010 05:30:02 +0300 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com, owl-users@...ts.openwall.com Subject: [openwall-announce] new Owl ISOs, OpenVZ templates, packages & kernel (CVE-2010-4258 fix and a lot more) Hi, I've just released new Owl-current ISOs, OpenVZ container templates, and freshly rebuilt package sets for i686 and x86-64. This might be the last Owl-current snapshot before we make our 3.0 release, so please test extensively and report both successes and failures (in some detail). ;-) The Owl homepage has direct download links for the ISOs: http://www.openwall.com/Owl/ Currently, these point to the already-updated French mirror (also fast from the US). I intend to re-point them to the mirror at kernel.org once that gets updated (it should be updated in an hour from now). Compared to the September 24 snapshot, the Linux/OpenVZ kernel has once again been updated to OpenVZ's latest from their "RHEL5 testing" branch (2.6.18-194.26.1.el5.028stab079.1), with many additional security fixes and security hardening measures added on top of it. This includes a fix for "dangerous interaction between clear_child_tid, set_fs(), and kernel oopses" (CVE-2010-4258) discovered by Nelson Elhage of Ksplice: http://www.openwall.com/lists/oss-security/2010/12/02/3 http://www.openwall.com/lists/oss-security/2010/12/02/7 http://www.openwall.com/lists/oss-security/2010/12/09/14 and a fix for partial mmap_min_addr bypass via install_special_mapping() discovered by Tavis Ormandy of Google Security Team (no CVE id yet, there will likely be one by tomorrow): http://www.openwall.com/lists/oss-security/2010/12/09/12 http://www.openwall.com/lists/oss-security/2010/12/09/13 The latter is currently known to allow for mapping just one page below mmap_min_addr, which was not enough to affect Owl "for real" due to our setting of mmap_min_addr to 96 KB in /etc/sysctl.conf. Nevertheless, we have now introduced the extra checks proposed by Tavis and propagated the safer default of 96 KB (vs. Red Hat's 4 KB) into our kernel patch (not relying on /etc/sysctl.conf alone anymore). Additionally, many security-relevant patches and an ext4 mount reliability fix have been merged from 2.6.18-236.el5 (Red Hat's testing kernel). Most of these are fixes for infoleak bugs discovered by Dan Rosenberg of Virtual Security Research, as well as a couple discovered by Vasiliy Kulikov of our team. Most of them were in relatively obscure subsystems that are not exposed on typical Owl installs. Finally, Dan Rosenberg's patch introducing the dmesg_restrict sysctl and CONFIG_SECURITY_DMESG_RESTRICT (enabled on Owl by default) has been merged (via Red Hat's 2.6.18-236.el5). Many userland packages have been updated to new upstream versions: binutils, hdparm, ed, man-pages, diffstat, flex, ncurses, VIM, Linux-PAM, GnuPG, cdrkit, iptables, SysVinit, smartmontools, lftp, xz, and Postfix. In the case of binutils, we updated to 220.127.116.11.11 in September - October (this involved some fixes to other packages). We did not update to 2.21 that was released yesterday yet. The Linux-PAM update adds important security fixes to pam_env, pam_mail, and pam_xauth (CVE-2010-3316, CVE-2010-3435, CVE-2010-3430, and CVE-2010-3431; issues discovered by Sebastian Krahmer of SuSE, Tim Brown, and some final bits by me). None of these modules were ever in use on Owl by default, but we did provide them (and we still do). Finally, many minor enhancements to various parts of Owl have been made, including to bootup, shutdown, and the installer ("safe" boot label for machines that have problems with ACPI support), default shell prompts with bash and tcsh, CVS (a minor potentially security-relevant change fixing CVE-2010-3846), and BIND (many extra sample directives and comments in the default configuration file). This round of updates is mostly due to work by Vasiliy Kulikov (most package updates), Dmitry V. Levin (the Linux-PAM fixes), and me. Please refer to the Owl-current change log for some detail different from the above (e.g., specific upstream version numbers we updated to, additional external links on the security issues): http://www.openwall.com/Owl/CHANGES-current.shtml As usual, feedback is welcome. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.