[grsec] grsecurity 2.1.9 released for 2.4.32/2.4.33-rc2/2.6.17.7

Brad Spengler spender at grsecurity.net
Wed Jul 26 21:26:41 EDT 2006 

grsecurity 2.1.9 has been released for the 2.4.32, 2.4.33-rc2, and 
2.6.17.7 series of Linux kernels. Changes in this release include:

    * A new PaX feature that eliminates a class of kernel 
      vulnerabilities from being exploitable.  The PaX feature prevents 
      exploitation in the case of any invalid userland pointer dereferences.
      This feature is also useful for debugging purposes, since it will catch 
      any driver that uses userland memory directly and not through the 
      proper copy_(to/from)_user channels. This feature is highly 
      recommended, though it should not be enabled in kernels meant to 
      run inside virtual machines (unless your processor supports 
      virtualization extensions).
    * A new PaX feature that zeroes out physical memory pages as soon as 
      they are freed. Though an encrypted swap helps reduce the chance 
      of certain sensitive information being recovered, it does 
      nothing against short-term recovery of sensitive information 
      which may be properly locked into physical memory. The sensitive 
      information can be found by reading /dev/mem and /dev/kmem (if you 
      haven't protected those with grsecurity), or through arbitrary 
      read bugs in the kernel. Enabling this feature incurs a small 
      performance hit (3% measured on kernel compilation). In the 
      future, it will be integrated into the RBAC, so that it can be 
      toggled on a per-process basis, reducing the overall performance hit.
    * The long-time unmounting failure on reboot bug (caused by certain 
      /proc assumptions by killall5) has been resolved.
    * An RBAC bug reported on the forums related to automatic policy 
      regeneration has been resolved.
    * A rare deadlock condition in the IP tagging code has been 
      resolved.
    * Resource logging has become a sysctl-tunable feature.
    * Disabling support for module loading at runtime through the 
      grsecurity feature no longer prevents writes to other 
      grsecurity-related sysctl entries.
    * Additional minor grsecurity/gradm bugfixes


Please note that the 2.4.33-rc2 kernel is currently being recommended 
instead of the 2.4.32 kernel, since it includes a number of fixes for 
reported security bugs. The 2.6 patch has changed the way it adds -grsec 
to the kernel's extraversion, so it should apply cleanly to most 
2.6.17.x kernel releases. We however continue to discourage the 2.6 
series of kernels for production use for reasons that should by now be 
obvious to everyone.

On another note, my employer is sending me to Blackhat/Defcon this year, 
so I hope to get a chance to meet some of you there.

Enjoy,
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20060726/279fd932/attachment.pgp

More information about the grsecurity mailing list