Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20090720131647.GA19827@openwall.com>
Date: Mon, 20 Jul 2009 17:16:47 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux 2.6.30+/SELinux/RHEL5 test kernel 0day, exploiting the unexploitable

Earlier today, I wrote:

> (BTW, I'd be happy to share the mmap_min_addr back-port patch to
> RHEL-5'ish kernels with Red Hat if there's any interest.)

It occurred to me, from a few things I've seen/read lately, that RHEL 5
must indeed already include a back-port of the mmap_min_addr feature,
although somehow it is not in OpenVZ's patch-128.1.1.el5.028stab062.3
(was added after the -128 revision?), which is why I am adding my own
back-port of mmap_min_addr on top of that patch.  I am not using genuine
RHEL 5 (nor CentOS), which is why I don't know.  Maybe Eugene can
comment on this.

> I am going to release 2.4.37.3-ow1 with a CVE-2009-1895 fix in it, and I
> expect it to get into 2.4.37.4.  It's not important for systems with
> "sane" userlands (no crappy SUID-root programs), though.

Released, although I expect it to be replaced with 2.4.37.4-ow1 soon:

http://www.openwall.com/linux/

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.