headers
grsecurity | 14 Dec 2010 22:03

Updates for 2.6.32.27 patches, what are they about?

Hi!

Apparently there have been a number of updates for the 2.6.32.27 grsec 
patch (I think I saw three updates in the RSS feed). Is there a changelog 
somewhere? Currently, I am not able to figure out whether I should 
recompile with the newer patches or not since I do not know what exactly 
was fixed in these versions (security issue or just cosmetical stuff?).

As an incentive, I offer 50 Euros for adding a short comment to the RSS 
feed in the future that gives an idea of whether security concerned people 
should upgrade or not (best would be something like "users of version X 
and before must upgrade").

Regards
Permalink | Reply | 2 comments |
headers
Brad Spengler | 16 Dec 2010 03:33
Favicon

Re: Updates for 2.6.32.27 patches, what are they about?

The updates to 2.6.32.27 were compilation/boot fixes and improved 
denied socket error messages.  If you had problems compiling or booting 
on 32bit x86 with trampolines enabled, it fixed the problem.  Otherwise, 
there's no need to update.  I've added changelog creation to my 
build/test process so that it'll be easy/automatic from now on to 
include short notes with each update.  I've also updated the testing and 
stable RSS feeds to display this information.

Assume that if I mention backports, it's backports of security fixes 
from the vanilla kernel.  I may point out particularly nasty ones as a 
stronger urge to update.  PaX merges will likely just be mentioned 
generically unless some noteworthy compatibility issue is resolved.

Let me know if you spot any problems with the RSS feeds.

-Brad

On Tue, Dec 14, 2010 at 10:03:07PM +0100,
grsecurity@... wrote:
> Hi!
>
> Apparently there have been a number of updates for the 2.6.32.27 grsec  
> patch (I think I saw three updates in the RSS feed). Is there a changelog 
> somewhere? Currently, I am not able to figure out whether I should  
> recompile with the newer patches or not since I do not know what exactly  
> was fixed in these versions (security issue or just cosmetical stuff?).
>
> As an incentive, I offer 50 Euros for adding a short comment to the RSS  
> feed in the future that gives an idea of whether security concerned 
> people should upgrade or not (best would be something like "users of
(Continue reading)

Permalink | Reply | 1 comment |
headers
Miguel Ghobangieno | 16 Dec 2010 06:21
Picon
Favicon

Re: Updates for 2.6.32.27 patches, what are they about?

Is grsecurity compatable with human rights?
Today we understand that for human rights to exist, young marraige of females must be stamped out
completely. Many cultures still marry girls at puberty, which is usually 12 or 13, but can be as young as 9!
The only way to stop this is to create police states and surveillance societies, to end all secrets.
Grsecurity helps people keep secrets by increasing security.
This is in opposition to women's rights, human rights, and supports the evil acts of men who take sweet and
compliant young brides at puberty.

How can you support and continue such acts?
Think of the women and girls.
Spit on the men.

--- On Thu, 12/16/10, Brad Spengler <spender@...> wrote:

> From: Brad Spengler <spender@...>
> Subject: Re: [grsec] Updates for 2.6.32.27 patches, what are they about?
> To: grsecurity@...
> Cc: grsecurity@...
> Date: Thursday, December 16, 2010, 2:33 AM
> The updates to 2.6.32.27 were
> compilation/boot fixes and improved 
> denied socket error messages.  If you had problems
> compiling or booting 
> on 32bit x86 with trampolines enabled, it fixed the
> problem.  Otherwise, 
> there's no need to update.  I've added changelog
> creation to my 
> build/test process so that it'll be easy/automatic from now
> on to 
> include short notes with each update.  I've also
(Continue reading)

Permalink | Reply | 0 comments |
headers
Bastien Durel | 16 Dec 2010 22:44
Favicon

KVM soft lockup

Hello,

I recently decided to upgrade my KVM guest server.
It used to run a Debian with 2.6.32.24-grsec/i686 custom kernel.
My new server is an i7 with plenty of RAM, so I decided to switch to an
amd64 kernel.

With squeeze stock kernel (2.6.32-5-amd64), KVM runs fine.

I then compiled a 2.6.32.27-grsec custom kernel, but when I run KVM with
this kernel active, I get some 
BUG: soft lockup - CPU#x stuck for 61s! [kvm:xxxx] 

then the whole machine become unresponsive.

Is there any known incompatibilities ?

Thanks,

--

-- 
Bastien Durel
Permalink | Reply | 2 comments |
headers
Pavel Labushev | 16 Dec 2010 23:36
Picon

Re: KVM soft lockup

17.12.2010 04:44, Bastien Durel пишет:

> My new server is an i7 with plenty of RAM, so I decided to switch to an
> amd64 kernel.

> Is there any known incompatibilities ?

KVM is incompatible with UDEREF on x86_64, maybe that's your problem.
_______________________________________________
grsecurity mailing list
grsecurity <at> grsecurity.net
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply | 1 comment |
headers
Bastien Durel | 17 Dec 2010 19:13
Favicon

Re: KVM soft lockup

Le vendredi 17 décembre 2010 à 05:36 +0700, Pavel Labushev a écrit :
> 17.12.2010 04:44, Bastien Durel ?????:
> 
> > My new server is an i7 with plenty of RAM, so I decided to switch to an
> > amd64 kernel.
> 
> > Is there any known incompatibilities ?
> 
> KVM is incompatible with UDEREF on x86_64, maybe that's your problem.

Yes, it is. Thanks :)

--

-- 
Bastien Durel

_______________________________________________
grsecurity mailing list
grsecurity <at> grsecurity.net
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
Permalink | Reply | 0 comments |
headers
pageexec | 23 Dec 2010 00:20
Picon
Favicon

Re: grsecurity & lguest

On 4 Nov 2010 at 20:11, Philip Sanderson wrote:

just a heads up, the latest PaX patch should work with lguest under KERNEXEC
thanks to andrewg's work (if the code doesn't compile it's all my fault, i didn't
test my cleaned up version ;). the solution is not ideal in that lguest's flat
ring-0 segments are kept as is and that's obviously not good for KERNEXEC, but
i'll let you guys refine this further.

> I can't even get KERNEXEC working on a real machine either (model name    :
> Intel(R) Atom(TM) CPU N270    <at>  1.60GHz) :/

what's the issue there? does that CPU have an NX bit? is it enabled? what happens
when you boot a PAE/PaX kernel? does vanilla/PAE work?
Permalink | Reply | 0 comments |

Gmane