Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 Nov 2009 04:55:15 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] Linux 2.4.37.7-ow1; passwdqc 1.1.4; new Owl ISO; public domain source code snippets

Hi,

This is to announce several things at once:

1. Linux 2.4.37.7-ow1 is out:

http://www.openwall.com/linux/

This is merely an update of the patch to the new 2.4.37.7 kernel
release, which fixes a number of security-related bugs:

http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.7

One of these is documented as "fs: pipe.c null pointer dereference".
Let me use this opportunity to remind you that having vm.mmap_min_addr
set to a non-zero value is a must (e.g., it is set to 98304 on the
system I'm typing this on).  There are way too many NULL pointer
dereference bugs and they are and will be getting discovered too often
for reasonably keeping systems up-to-date with the fixes.  A better
strategy may be to treat possible vm.mmap_min_addr bypass bugs as higher
severity ones, simply because there's an expectation that there are a
lot fewer of these (if any are still left).  This is the strategy we're
going to use for Owl.  vm.mmap_min_addr has defaulted to non-zero
(specifically, 32768) in -ow patches and thus on Owl systems for a while.
Thus, we're not treating NULL pointer dereference bugs as "local root"
ones; instead, we'd treat possible vm.mmap_min_addr bypasses as such.

2. There's a new Owl-current ISO image for 32-bit x86 (generated on
November 17) available on our FTP mirrors:

http://www.openwall.com/Owl/DOWNLOAD.shtml

There's also a direct download link (using one of the mirrors) right on
the Owl homepage:

http://www.openwall.com/Owl/

This is a very minor update.  It uses Linux 2.4.37.7-ow1 as the kernel.

Quite possibly, this is the last Owl ISO snapshot to use a 2.4 kernel,
as we're working on fully switching Owl to 2.6 kernels.

3. We've released version 1.1.4 of passwdqc, our password/passphrase
strength checking and policy enforcement toolset:

http://www.openwall.com/passwdqc/

We declare version 1.1.4 the new "stable" release.  The changes since
1.1.3 are mostly limited to minor code and manual pages markup cleanups
(such as for proper formatting on OpenBSD, thanks to Kevin Steves and
Jason McIntyre).

We've learned that passwdqc releases are now being packaged for NetBSD:

http://pkgsrc.se/security/pam-passwdqc

(Many other OS distributions have been doing it for years.)

4. I have published some assorted source code snippets and frameworks
(mostly in C), which I placed in the public domain:

http://openwall.info/wiki/people/solar/software/public-domain-source-code

Some of these were available under Openwall before, some not.  Please
feel free to reuse these in your programs.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ