Hi, We've just moved to OpenVZ's latest "RHEL5 testing" kernel (with many additional patches - mostly back-ports of security fixes from even newer kernels). This kernel is working well for us so far.
Most importantly, it includes a fix for CVE-2010-4258, which I regard almost as important as mmap_min_addr. It is very similar in that without this fix many other "benign" bugs turn into vulnerabilities allowing for privilege escalation (local root, container escape). Info on some of the many other fixes that we included is found in the forwarded message below my signature. Those who would like to use these fixes on non-Owl may pick our kernel patch from here: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/kernel/ The file is linux-2.6.18-194.26.1.el5.028stab079.1-owl.diff, which applies on top of OpenVZ's patch-194.26.1.el5.028stab079.1-combined.gz and currently brings the kernel version up to 2.6.18-194.26.1.el5.028stab079.1.owl2 (the ".owl2" is for the security fixes, an ext4 mount reliability fix, some build fixes, and some of our Owl-specific stuff that should not hurt on any other system as well). Kir - you could want to consider some of this for inclusion. I was adding different kinds of fixes to linux-2.6.18-194.26.1.el5.028stab079.1-owl.diff with separate commits to make this easier. Indeed, the binary kernel* packages on our FTP mirrors include the patch above. Moreover, our latest ISOs include those kernels (i686 and x86_64): http://www.openwall.com/Owl/ At the same time, we've released new OpenVZ container templates of the Owl userland: lftp ftp.fr.openwall.com:/pub/Owl/current/vztemplate> ls *20101209* -rw-r--r-- 1 1002 1002 115458230 Dec 09 22:21 owl-current-20101209-i686.tar.gz -rw-r--r-- 1 1002 1002 119184903 Dec 09 22:22 owl-current-20101209-x86_64.tar.gz Alexander ----- Forwarded message from Solar Designer <[email protected]> ----- Date: Fri, 10 Dec 2010 05:30:02 +0300 From: Solar Designer <[email protected]> To: annou...@..., owl-us...@... Subject: [openwall-announce] new Owl ISOs, OpenVZ templates, packages & kernel (CVE-2010-4258 fix and a lot more) Hi, I've just released new Owl-current ISOs, OpenVZ container templates, and freshly rebuilt package sets for i686 and x86-64. This might be the last Owl-current snapshot before we make our 3.0 release, so please test extensively and report both successes and failures (in some detail). ;-) The Owl homepage has direct download links for the ISOs: http://www.openwall.com/Owl/ Currently, these point to the already-updated French mirror (also fast from the US). I intend to re-point them to the mirror at kernel.org once that gets updated (it should be updated in an hour from now). Compared to the September 24 snapshot, the Linux/OpenVZ kernel has once again been updated to OpenVZ's latest from their "RHEL5 testing" branch (2.6.18-194.26.1.el5.028stab079.1), with many additional security fixes and security hardening measures added on top of it. This includes a fix for "dangerous interaction between clear_child_tid, set_fs(), and kernel oopses" (CVE-2010-4258) discovered by Nelson Elhage of Ksplice: http://www.openwall.com/lists/oss-security/2010/12/02/3 http://www.openwall.com/lists/oss-security/2010/12/02/7 http://www.openwall.com/lists/oss-security/2010/12/09/14 and a fix for partial mmap_min_addr bypass via install_special_mapping() discovered by Tavis Ormandy of Google Security Team (no CVE id yet, there will likely be one by tomorrow): http://www.openwall.com/lists/oss-security/2010/12/09/12 http://www.openwall.com/lists/oss-security/2010/12/09/13 The latter is currently known to allow for mapping just one page below mmap_min_addr, which was not enough to affect Owl "for real" due to our setting of mmap_min_addr to 96 KB in /etc/sysctl.conf. Nevertheless, we have now introduced the extra checks proposed by Tavis and propagated the safer default of 96 KB (vs. Red Hat's 4 KB) into our kernel patch (not relying on /etc/sysctl.conf alone anymore). Additionally, many security-relevant patches and an ext4 mount reliability fix have been merged from 2.6.18-236.el5 (Red Hat's testing kernel). Most of these are fixes for infoleak bugs discovered by Dan Rosenberg of Virtual Security Research, as well as a couple discovered by Vasiliy Kulikov of our team. Most of them were in relatively obscure subsystems that are not exposed on typical Owl installs. Finally, Dan Rosenberg's patch introducing the dmesg_restrict sysctl and CONFIG_SECURITY_DMESG_RESTRICT (enabled on Owl by default) has been merged (via Red Hat's 2.6.18-236.el5). Many userland packages have been updated to new upstream versions: binutils, hdparm, ed, man-pages, diffstat, flex, ncurses, VIM, Linux-PAM, GnuPG, cdrkit, iptables, SysVinit, smartmontools, lftp, xz, and Postfix. In the case of binutils, we updated to 2.20.51.0.11 in September - October (this involved some fixes to other packages). We did not update to 2.21 that was released yesterday yet. The Linux-PAM update adds important security fixes to pam_env, pam_mail, and pam_xauth (CVE-2010-3316, CVE-2010-3435, CVE-2010-3430, and CVE-2010-3431; issues discovered by Sebastian Krahmer of SuSE, Tim Brown, and some final bits by me). None of these modules were ever in use on Owl by default, but we did provide them (and we still do). Finally, many minor enhancements to various parts of Owl have been made, including to bootup, shutdown, and the installer ("safe" boot label for machines that have problems with ACPI support), default shell prompts with bash and tcsh, CVS (a minor potentially security-relevant change fixing CVE-2010-3846), and BIND (many extra sample directives and comments in the default configuration file). This round of updates is mostly due to work by Vasiliy Kulikov (most package updates), Dmitry V. Levin (the Linux-PAM fixes), and me. Please refer to the Owl-current change log for some detail different from the above (e.g., specific upstream version numbers we updated to, additional external links on the security issues): http://www.openwall.com/Owl/CHANGES-current.shtml As usual, feedback is welcome. Alexander ----- End forwarded message ----- _______________________________________________ Users mailing list [email protected] https://openvz.org/mailman/listinfo/users
