Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 25 Aug 2009 12:59:36 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, owl-users@...ts.openwall.com
Subject: Linux 2.4.37.5-ow1; new Owl ISOs

Hi,

A couple of days ago, I've released a new revision of the kernel patch,
updated to Linux 2.4.37.5:

http://www.openwall.com/linux/

(and I similarly released updates to all other minor revisions of Linux
2.4.37.x before, some of which I neglected to announce in here).  The
important security-relevant changes made in the 2.4.37.x kernels and in
the -ow patches are briefly described in news items on the above web
page.  Specifically, the 2.4.37.5 kernel adds a fix for a NULL pointer
dereference bug (which, as far as I'm aware, was not exploitable into
privilege escalation as long as the vm.mmap_min_addr restriction was
enabled and working), whereas the -ow patch to it adds a fix for a local
information leak affecting 64-bit kernel builds (not yet fixed upstream
in 2.4, will likely be fixed in the next upstream revision).

2.4.37.3-ow1 and then 2.4.37.4 introduced a hardening measure against a
vm.mmap_min_addr bypass that could have worked via a combination of
the "personality" feature and certain improperly designed SUID-root
programs (only one example is known to me so far - pulseaudio).  As far
as I'm aware, on 2.4 kernels this bypass could have worked on x86_64
kernel builds, but not on most/all other architectures (including
definitely not on 32-bit x86 builds).

Finally, the 2.4.37.3 kernel release added the
"-fno-delete-null-pointer-checks" option to gcc invocations, which was
important to reduce the impact of a class of kernel bugs (which are yet
to be found and fixed individually, but are known to exist in general)
and added several security-relevant fixes to the RTL-8169 NIC driver.

(Linux 2.4.37.2-ow1 and earlier were announced in here before, so I'll
stop documenting the changes at this point.)

There are new ISO images of Owl-current (for x86 and x86-64) available
on our FTP mirrors:

http://www.openwall.com/Owl/DOWNLOAD.shtml

-rw-r--r--    1 ftp      ftp      449344077 Aug 23 06:44 Owl-current-20090823-i586.iso.gz
-rw-r--r--    1 ftp      ftp      452960143 Aug 23 10:00 Owl-current-20090823-x86_64.iso.gz

These use the Linux 2.4.37.5-ow1 kernel, and they contain various package
updates that we made lately:

http://www.openwall.com/Owl/CHANGES-current.shtml

We've been generating new Owl-current ISOs every 1-2 weeks lately.
Since the last one I announced in here, we've made major changes to our
packages of vsftpd, BIND, chkconfig, groff, logrotate, mktemp,
findutils, tar - as well as minor changes to other packages and parts of
Owl - and indeed we've updated the kernel.

Alexander

-- 
To unsubscribe, e-mail owl-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.