-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all hardened users.
On Oct. 19, a local privilege escalation exploit was found [1,2] that affected hardened kernels on all architectures. For certain configurations of the hardened kernel, it is possible for a local user to obtain root privileges. The current Proof-Of-Concept code can be frustrated by not providing symbol information via /proc/kallsyms or System.map, but at this time it is unclear if other hardening features such as CONFIG_PAX_MEMORY_UDEREF provide adequate protection against variations of the POC which do not need symbols. All users are encouraged to upgrade to hardened-sources-2.6.32-r22 which is currently marked stable on amd64 and x86. It is being fast tracked on other archs. [3] hardened-sources-2.6.35-r4 is also not vulnerable, but cannot be stabilized yet because of a bug in dhcp which also affects gentoo-sources-2.6.35-r4. [4] For those who want kernels > .32 and can live with the minor bug, you can safely use hardened-sources-2.6.35-r4. Later this week, all ebuild for vulnerable kernels will be removed from the tree, except for hardened-sources-2.6.34-r6 hardened-sources-2.6.32-r9 and hardened-sources-2.6.28-r9. These will be kept for continuity. Ref: [1] http://www.vsecurity.com/resources/advisory/20101019-1/ [2] http://bugs.gentoo.org/show_bug.cgi?id=341801 [3] http://bugs.gentoo.org/show_bug.cgi?id=341915 [4] http://bugs.gentoo.org/show_bug.cgi?id=334341 - -- Anthony G. Basile, Ph.D. Gentoo Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzBc6QACgkQl5yvQNBFVTW5ZACfYee41wo/CB227ZWrt2X5x4sG vxoAoKGpVvtXB48Sl/urvqqPenjpiq3x =P+g7 -----END PGP SIGNATURE-----
