[grsec] grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4

Brad Spengler spender at grsecurity.net
Mon Apr 14 21:07:46 EDT 2008 

A new stable version of grsecurity has been released for the 2.4.36.2 
and 2.6.24.4 versions of the Linux kernel. This release is a maintenance 
release (due to the work required in porting such a large patchset to 
each new 2.6 kernel as we have with the test patches), though we 
continue to welcome suggestions for additional features for grsecurity. 

Changes in this release include:

    * Many bugfixes, including fixes for RBAC auditing and RBAC policy 
      recreation from renaming.
    * Relaxed restrictions for the 'd' subject flag in the RBAC system 
      -- a task may now access its own /proc/<pid>/fd and mem entries.
    * Forced compiler errors on mistaken PaX configuration (such as 
      enabling PAX_NOEXEC but not enabling SEGMEXEC nor PAGEEXEC).
    * Extended username limits in the RBAC system
    * Improved policy verification and base policy enforcement
    * Added support for new capabilities added in Linux 2.6
    * Updated default policy and learning configuration
    * Corrected policy support on files larger than 2gb prior to the 
      RBAC system being enabled
    * An update to the latest version of PaX which includes numerous
      bugfixes



Due to Linux kernel developers continuing to silently fix exploitable 
bugs (in particular, trivially exploitable NULL ptr dereference bugs 
continue to be fixed without any mention of their security implications) 
we continue to suggest that the 2.6 kernels be avoided if possible.

It is not clear if the PaX Team will be able to continue supporting 
future versions of the 2.6 kernels, given their rapid rate of release 
and the incredible amount of work that goes into porting such a 
low-level enhancement to the kernel (especially now in view of the 
reworking of the i386/x86-64 trees). It may be necessary that grsecurity 
instead track the Ubuntu LTS kernel so that users can have a stable 
kernel with up-to-date security fixes. I will update this page when a 
final decision has been reached.

In the meantime, please email pageexec at freemail.hu and let him know how 
much you appreciate the hard work he has put in for the past 8 years. 
The accomplishments of the PaX Team have extended far beyond just Linux, 
and have today found their way into all mainstream operating systems.

Enjoy,
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20080414/be5f8c5d/attachment.pgp

More information about the grsecurity mailing list