|
Message-ID: <20170704123127.GA27528@openwall.com> Date: Tue, 4 Jul 2017 14:31:27 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: linux-distros list membership application - CloudLinux I've just added CloudLinux to linux-distros. Some comments below: On Sun, Jul 02, 2017 at 05:29:25PM +0300, Igor Seletskiy wrote: > We typically have to patch local privilege escalations in kernel asap as > our customers are easily rooted using this type of vulnerabilities (anyone > can buy website or hack old wordpress instance & run any code). This may be a reason for you to harden your distro's userland against local privilege escalations as well, such as by adopting the owl-alt-sanitize-env glibc hardening patch maintained by ALT Linux: http://git.altlinux.org/gears/g/..git?p=glibc.git;a=commitdiff;h=496059f2 and getting rid of most or all world-accessible SUID programs, which is do-able like we have demonstrated with Owl. This shouldn't be unreasonably hard to implement and maintain in a fork of RHEL, although obviously you'll end up with more packages (including some core ones) that would no longer be mere rebuilds of RHEL's. This is by no means a condition for your linux-distros list membership - I just happen to mention it here in response to your explanation of your distro's threat model. If you do go this route, it will re-enforce your reasoning for being a linux-distros member, though. > Some records: > The stack clash (Jun 21, 2016): > https://www.cloudlinux.com/cloudlinux-os-blog/entry/cve-2017-1000364-fixed-for-cloudlinux-7 > Dirty Cow (Oct 21rd, 2016): > https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-updated-dirty-cow-issue-fixed > Ghost (Jan 27, 2015): > https://www.cloudlinux.com/cloudlinux-os-blog/entry/glibc-ghost-remote-vulnerability-cve-2015-0235 You got impressive timing on these! > Please, find PGP related info > > Leonid Kanter <lkanter@...udlinux.com> > > GPG Key: 0x400296079AE5954F (download > <https://cryptup.org/pub/lkanter@cloudlinux.com>) > GPG Fingerprint: A07D AA47 48B2 C445 6A44 9B38 4002 9607 9AE5 954F > > Igor Seletskiy <i@...udlinux.com> > > GPG Key: 0xCD7BB36D66B77E0D (download > <https://cryptup.org/pub/i@cloudlinux.com>) > > GPG Fingerprint: 7FE3 681A DCBC C509 A2FF 77A4 CD7B B36D 66B7 7E0D > > Konstantin Olshanov <kolshanov@...udlinux.com> > GPG Key: 0x891E1FDBF34ED0FD (download > <https://cryptup.org/pub/kolshanov@cloudlinux.com>) > GPG Fingerprint: B502 0D7C BB2C 674C 6387 FBDC 891E 1FDB F34E D0FD I subscribed only Leonid and Igor so far, since Konstantin's key doesn't appear to be available at that URL (I am getting "No Public Key found for kolshanov@...udlinux.com"). As a minor annoyance, these URLs appear to require JavaScript. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.