an excerpt from the grsecurity website: grsecurity 2.1.2 has been released today for the 2.4.29 and 2.6.11 kernels. This is a critical release, and all users of grsecurity are strongly urged to upgrade as soon as possible. Changes in this release include the removal of RANDEXEC from the configuration, a fix for the unsafe terminal false positive, the ability to use hostnames instead of IPs in the RBAC policy file, the removal of the randomized TCP ISN, RPC XID, and IP ID code, since they added no greater security that what Linux currently provides, more consistent log messages, and PaX updates. Of particular importance is a fix for an exploitable vulnerability in PaX that exists if the SEGMEXEC or RANDEXEC features are enabled. The vulnerability was found yesterday by the PaX team during an audit of their code. Though remote exploitation of the vulnerability is very unlikely, it can be abused locally to compromise the system. If you have grsecurity configured in the LOW or MEDIUM settings, you are not vulnerable. To mitigate some of the risk imposed by the vulnerability until you can patch your machines, echo "0 0" > /proc/sys/vm/pagetable_cache sure , the security issue is fixed in grsec-sources-2.4.28.2.1.0-r3 but it would be really nice to have this version in the tree. thanks.
fyi: i assigned it directly to you because you're the maintainer of the grsec-sources (those which are based on the 2.4.x sources). please correct me if i'm taking things wrong.
grsecurity 2.1.3 has been released to fix a number of problems found during a routine audit of grsecurity. Changes in this release include allowed gradm -u for non-root users in a no-authentication special role, addition of a missing ptrace hook on amd64, fixed hidden file check that takes subject inheritance into account, unification of the mmap hook so it no longer requires a per-arch component, and the breakup of the "O" subject flag into "O" and "t", where "O" now means to allow writable library loads for the process, while "t" allows a process to ptrace any task. The "t" mode should be used sparingly in combination with the no-ptrace object flag. A bug in PaX that causes a SIGBUS in a task when SEGMEXEC is enabled but MPROTECT is disabled has been fixed in this release as well. During the audit, a critical vulnerability was found in the RBAC system that effectively gave every subject the "O" flag, allowing a root user for instance to gain the privileges of any other process through LD_PRELOAD or ptrace. If you have already upgraded to 2.1.2 and use the RBAC system, I strongly urge you to upgrade to 2.1.3. To ensure that problems like this won't occur in the future, I will be developing an extensive regression test suite for the RBAC system similar to the one that exists already for non-RBAC features. Sorry about the timing of this release, but the vuln I discovered is quite serious, and I'm hoping to catch the people who haven't updated their machines to 2.1.2 yet due to it being released over the weekend. -Brad
grsecurity 2.1.3 has been released to fix a number of problems found during a routine audit of grsecurity. Changes in this release include allowed gradm -u for non-root users in a no-authentication special role, addition of a missing ptrace hook on amd64, fixed hidden file check that takes subject inheritance into account, unification of the mmap hook so it no longer requires a per-arch component, and the breakup of the "O" subject flag into "O" and "t", where "O" now means to allow writable library loads for the process, while "t" allows a process to ptrace any task. The "t" mode should be used sparingly in combination with the no-ptrace object flag. A bug in PaX that causes a SIGBUS in a task when SEGMEXEC is enabled but MPROTECT is disabled has been fixed in this release as well. During the audit, a critical vulnerability was found in the RBAC system that effectively gave every subject the "O" flag, allowing a root user for instance to gain the privileges of any other process through LD_PRELOAD or ptrace. If you have already upgraded to 2.1.2 and use the RBAC system, I strongly urge you to upgrade to 2.1.3. To ensure that problems like this won't occur in the future, I will be developing an extensive regression test suite for the RBAC system similar to the one that exists already for non-RBAC features.
i've seen that's now in the tree, thanks a lot! marking this one as fixed
