grsecurity forums

[hanno]

Current kernel 2.6.25-releases fix some security issues, e.g. a permission issue in sys_utimensat and a DoS in ipv6.

Now for grsecurity-users: What should we do? (beside manually splitting out the patches and applying them)

As grsec devs announced that they may stop porting grsec to every new 2.6 kernel, there are imho 3 options:

a) forget about and port to latest 2.6.25

b) Provide some "fixes" - patchset for .24 which contains all security fixes so this can be applied together with the grsecurity-patch.

c) port the grsecurity patch to some well maintained kernel (ubuntu lts was in the discussion afaik)

No matter which one, one of them should happen really soon.

[hanno]

Just if you're curious, the vulnerabilities I'm talking about:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2148

[cormander]

PaX has a 2.6.25.4 test patch released yesterday - it's likely that Brad just needs a little more time before he can finish merge of the rest of grsecurity with all the changes between the 2.6.24 and 2.6.25 kernels.

http://grsecurity.net/test/pax-linux-2. ... st11.patch

[spender]

I've uploaded new patches for 2.4.36.4 and 2.6.25.4. Due to the addition of 64-bit capabilities in the 2.6 kernel, userland/kernel RBAC structures had to be updated, so the grsecurity version number has been incremented as well. This means you'll need to grab the latest gradm to use the RBAC system.

-Brad

[cormander]

Hey Brad,

Thanks for the 2.6.25 kernel update!

Since the latest testing version of grsecurity is now 2.1.12, and the "stable" is 2.1.11... any reason not to move the 2.6.24.7 patch to stable? Regarding the above vulnerabilities, these two patches correct them in the 2.6.24.7 kernel; you could append them to the bottom of the grsecurity patch:

http://www.ravencore.com/packages/kerne ... 2136.patch
http://www.ravencore.com/packages/kerne ... 2148.patch

What do you think?

[fed.linuxgossip]

Hi,

Is a grsec patched 2.6.24.6 or 2.6.24.4 secure against the following vulnerability ?


http://secunia.com/advisories/30580/


Thanks

[cormander]

Nope. You've either got to patch it manually or go with the latest test patch.

My current 2.6.24.7 grsecurity RPM however is patched against this and other CVEs that affect that tree (along with a very many other things).

[fed.linuxgossip]

Thank you can you give any idea on the patch source for this and maybe a two three liner howto would be helpful for all.