[grsec] grsecurity 2.0.1 released for Linux 2.4.27 and 2.6.7
spender at grsecurity.net
spender at grsecurity.net
Sun Aug 8 07:23:38 EDT 2004
grsecurity 2.0.1 has been released for Linux 2.4.27 and 2.6.7. gradm has
been updated to 2.0.1 for this release. This release includes PaX
updates, proper locking that resolves NULL pointer oopses that some were
experiencing, role de-authentication no longer requires a password, role
name and subject name are displayed with every log if the RBAC system is
enabled, the random TCP source ports feature won't fail before all ports
are used, IP-based role support has been added to special roles,
capability inheritance is fixed, the regular expression matching code
for RBAC objects has been enhanced to support expected results of
filename matching better and also handles [a-Z] style matching, stack
usage has been reduced, kernel memory usage has been reduced, domain
support has been added which allows you to group separate user roles
together in the RBAC system, fixed XFS sleep-on-locking errors in 2.6,
and automatic exploit bruteforcing deterrence, which delays an attack in
services like apache where a parent forks off several children all
sharing the same randomized address space layout and the attacker
attempts to bruteforce the children by exhausting every possible
randomized address. This release also fixes an important security issue
discovered by stealth which allowed an attacker to kill protected
processes in the RBAC system through a system call added recently to
Linux. The chroot restrictions were unaffected by the addition of the
system call. Some naming conventions were also changed, so
/etc/grsec/acl has become /etc/grsec/policy. gradm will automatically
move the file for you. gradm also supports directory including again,
and several bugs have been fixed.
If you're going to use 2.6.7, please also apply fixes for the numerous
security bugs present in that kernel. Due to significant changes in the
"stable" 2.6 tree that break much of PaX, a 2.6.8 patch may not be
coming soon.
Grsecurity has recently enlisted the help of former developer Michael
Dalton who will be focusing on userland changes. These changes will be
made initially for the Debian distribution and can be obtained by adding
the following lines to your /etc/apt/sources.list:
deb http://grsecurity.net/debian/ unstable main
deb-src http://grsecurity.net/debian/ unstable main
As of this writing, glibc 2.3.2 packages for i386 and sparc(64) are
available that include Stefan Esser's unlink sanity check and remove
LD_DEBUG for suid apps to prevent leaking of randomization information.
We will be moving to a new server shortly that will have more space for
these packages.
Thanks to my sponsors and everyone who has donated for making this possible.
Enjoy
-Brad
More information about the grsecurity
mailing list