headers
pageexec | 1 Mar 2005 05:52
Picon
Favicon

Re: Bind segfaults on restart linux-2.4.29-2.1.1

> I have seen a few messages posted about this in the forums, but no 
> suggestions on the cause of the problem. I am running 2.4.29 with  
> grsecurity-2.1.1-2.4.29-200501231159.patch on a fresh installation of 
> CentOS 3.4 ( A rebuild of RedHat Enterprise 3). Once I boot onto my 
> grsecurity-enabled kernel, bind continues to segfault and will not 
> start. Any ideas would be helpful, this is a backup server so I can help 
> test any proposed solutions if needed..

look through the archives, i posted some time ago the description
of how to get and analyze a coredump, that's what we'll have to look
at ultimately. without that information we cannot tell what goes
wrong. alternatively (or in addition), you can do some binary search
on the grsec config options, you don't have much enabled so it
should be fast ;-).
Permalink | Reply | 0 comments |
headers
John Anderson | 3 Mar 2005 00:36

Re: new -as patch for 2.6.10

Is the 2.6.11 release available? 

Thanks.

Brad Spengler wrote:

>On Fri, Feb 25, 2005 at 10:08:53AM +0100, Laszlo Boszormenyi wrote:
>  
>
>>Hi,
>>
>> As I see[1], there is a new -ac security patch for 2.6.10. The
>>grsecurity-2.1.1-2.6.10-as2-200501242254.patch has two small problems
>>during applying it, so I can correct them (one is a Makefile change,
>>the second is a header file include), but it would be better if the
>>changes are official. Can I wait for it, or should I do it for myself?
>>    
>>
>
>2.6.11 should be out any day now.  I've got a patch in 
>http://grsecurity.net/~spender that applies to rc4 (and hopefully to rc5) 
>that people can try until 2.6.11 final is released.  You'll need gradm2 
>from CVS as well.
>
>-Brad
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
(Continue reading)

Permalink | Reply | 1 comment |
headers
Brad Spengler | 3 Mar 2005 03:21
Favicon

Re: new -as patch for 2.6.10

On Wed, Mar 02, 2005 at 04:36:34PM -0700, John Anderson wrote:
> Is the 2.6.11 release available? 

I've placed a patch for 2.6.11 in http://grsecurity.net/~spender
If you aren't running it yet, please test it and let me know of any 
problems.  I've gotten several reports of it working fine so far and no 
reports of any problems.

I'm going to hold off on an official release until the PaX team is able 
to fix a bug that occurs in certain scenarios where SEGMEXEC is enabled, 
that has been up to now impossible to reproduce.  I myself have never 
seen the bug, and it has only been reported by a small number of 
people.  The bug is also present in the 2.4 kernel, so I will be 
delaying the 2.1.2 release for that as well.  The PaX team has now been 
able to reproduce the bug somewhat reliably and is working on a 
solution that will hopefully be available shortly.

-Brad

_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply | 0 comments |
headers
Brad Spengler | 5 Mar 2005 01:55
Favicon

grsecurity 2.1.2 released for 2.4.29/2.6.11 *CRITICAL UPDATE*

grsecurity 2.1.2 has been released today for the 2.4.29 and 2.6.11 
kernels. This is a critical release, and all users of grsecurity are 
strongly urged to upgrade as soon as possible. Changes in this release 
include the removal of RANDEXEC from the configuration, a fix for the 
unsafe terminal false positive, the ability to use hostnames instead of 
IPs in the RBAC policy file, the removal of the randomized TCP ISN, RPC 
XID, and IP ID code, since they added no greater security that what 
Linux currently provides, more consistent log messages, and PaX updates. 
Of particular importance is a fix for an exploitable vulnerability in 
PaX that exists if the SEGMEXEC or RANDEXEC features are enabled. The 
vulnerability was found yesterday by the PaX team during an audit of 
their code. Though remote exploitation of the vulnerability is very 
unlikely, it can be abused locally to compromise the system.

-Brad

_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply | 8 comments |
headers
Brad Spengler | 5 Mar 2005 02:20
Favicon

Re: grsecurity 2.1.2 released for 2.4.29/2.6.11 *CRITICAL UPDATE*

As an update to this, if you're using grsecurity in the LOW or MEDIUM 
security settings, you are not vulnerable, since neither SEGMEXEC nor 
RANDEXEC are enabled in those configurations.  To mitigate some of the 
risk imposed by the vulnerability until you can patch your machines, 
echo "0 0" > /proc/sys/vm/pagetable_cache

Details of the vulnerability will be released next week, to allow for 
everyone to update first.

-Brad

_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply | 4 comments |
headers
Barry.Schwartz | 5 Mar 2005 04:32

Re: grsecurity 2.1.2 released for 2.4.29/2.6.11 *CRITICAL UPDATE*

Brad Spengler <spender@...> wrote:
> Details of the vulnerability will be released next week, to allow for 
> everyone to update first.

The website still says to apply the 2.6.10-as2 patch.  This is not
correct, is it?


_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply | 1 comment |
headers
Brad Spengler | 5 Mar 2005 05:05
Favicon

Re: grsecurity 2.1.2 released for 2.4.29/2.6.11 *CRITICAL UPDATE*

On Fri, Mar 04, 2005 at 09:32:56PM -0600,
Barry.Schwartz@... wrote:
> Brad Spengler <spender@...> wrote:
> > Details of the vulnerability will be released next week, to allow for 
> > everyone to update first.
> 
> The website still says to apply the 2.6.10-as2 patch.  This is not
> correct, is it?

You're right, I forgot to update that notice.  It's fixed on the website 
now.

-Brad

_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply | 0 comments |
headers
General Stone | 5 Mar 2005 13:03
Picon
Favicon

Re: grsecurity 2.1.2 released for 2.4.29/2.6.11 *CRITICAL UPDATE* {Scanned}

On Fri, Mar 04, 2005 at 08:20:00PM -0500, Brad Spengler wrote:
> As an update to this, if you're using grsecurity in the LOW or MEDIUM 
> security settings, you are not vulnerable, since neither SEGMEXEC nor 
> RANDEXEC are enabled in those configurations.  To mitigate some of the 
> risk imposed by the vulnerability until you can patch your machines, 
> echo "0 0" > /proc/sys/vm/pagetable_cache
> 
> Details of the vulnerability will be released next week, to allow for 
> everyone to update first.
> 
> -Brad

I have disbled the RANDEXEC and SEGMEXEC options in the kernel-config,
is it all?
The sysctl option "/proc/sys/vm/pagetable_cache" don't exist on my
machine i586 (kernel-source-2.6.10 with as5).

_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply | 1 comment |
headers
Brad Spengler | 5 Mar 2005 15:07
Favicon

Re: grsecurity 2.1.2 released for 2.4.29/2.6.11 *CRITICAL UPDATE* {Scanned}

> I have disbled the RANDEXEC and SEGMEXEC options in the kernel-config,
> is it all?
> The sysctl option "/proc/sys/vm/pagetable_cache" don't exist on my
> machine i586 (kernel-source-2.6.10 with as5).

Indeed, it doesn't look like that exists on 2.6 kernels, so the 
workaround is only possible on 2.4.  Disabling RANDEXEC and SEGMEXEC 
will fix the problem, but if you're going to install a new kernel, there 
haven't been many changes from 2.1.1 to 2.1.2 (unless it's the 
2.6.10->2.6.11 changes you're worried about).  I would still recommend 
updating so you can take advantage of PaX, or enable the PAGEEXEC method 
instead.

-Brad

_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply | 0 comments |
headers
Steven Springl | 5 Mar 2005 21:01

Re: grsecurity 2.1.2 released for 2.4.29/2.6.11 *CRITICAL UPDATE*

On Saturday 05 March 2005 00:55, Brad Spengler wrote:
> grsecurity 2.1.2 has been released today for the 2.4.29 and 2.6.11
> kernels. This is a critical release, and all users of grsecurity are
> strongly urged to upgrade as soon as possible. Changes in this release
> include the removal of RANDEXEC from the configuration, a fix for the
> unsafe terminal false positive, the ability to use hostnames instead of
> IPs in the RBAC policy file, the removal of the randomized TCP ISN, RPC
> XID, and IP ID code, since they added no greater security that what
> Linux currently provides, more consistent log messages, and PaX updates.
> Of particular importance is a fix for an exploitable vulnerability in
> PaX that exists if the SEGMEXEC or RANDEXEC features are enabled. The
> vulnerability was found yesterday by the PaX team during an audit of
> their code. Though remote exploitation of the vulnerability is very
> unlikely, it can be abused locally to compromise the system.
>
> -Brad
Brad
        During testing of kernel 2.6.11 with grsecurity 2.1.2 and config 
option Security Level set to high, I have noticed that TCP source ports are 
no longer random.  I have checked the kernel config and both 
CONFIG_GRKENSEC_RANDNET & CONFIG_GRKENSEC_RANDSRC are set to y.

If you need any further information please let me know.

Regards
                Steven.
Permalink | Reply | 2 comments |

Gmane