Home
   Download
   Test Patches
   Packages
   Features
   Forums
   Mailing List
   Wiki
   CVS
   Links
   Mirrors
   Donations
   Sponsors
   LSM
   Papers
   Contact Us

    

More News >>  
Install Latest Version:
2.1.11
Latest update: 04/21/08
Latest test patch: 10/13/08
  >> download now

[04/21] grsecurity 2.1.11 patches updated, 2.6.24.5 supported
The 2.6 patch has been updated to 2.6.24.5 and fixes a serious RBAC system flaw where user_transition_deny/allow rules were being ignored. Both the 2.4 and the 2.6 patches have been updated to fix the return values of sys_setfsuid and sys_setfsgid.
[04/17] grsecurity 2.1.11 patch for 2.6.24.4 updated
The 2.1.11 patch for Linux 2.6.24.4 has been updated to fix a deadlock scenario with setpgid() and CONFIG_GRKERNSEC_CHROOT_FINDPROC discovered during an internal audit.
[04/14] grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4
A new stable version of grsecurity has been released for the 2.4.36.2 and 2.6.24.4 versions of the Linux kernel. This release is a maintenance release (due to the work required in porting such a large patchset to each new 2.6 kernel as we have with the test patches), though we continue to welcome suggestions for additional features for grsecurity. Changes in this release include:
  • Many bugfixes, including fixes for RBAC auditing and RBAC policy recreation from renaming.
  • Relaxed restrictions for the 'd' subject flag in the RBAC system -- a task may now access its own /proc/<pid>/fd and mem entries.
  • Forced compiler errors on mistaken PaX configuration (such as enabling PAX_NOEXEC but not enabling SEGMEXEC nor PAGEEXEC).
  • Extended username limits in the RBAC system
  • Improved policy verification and base policy enforcement
  • Added support for new capabilities added in Linux 2.6
  • Updated default policy and learning configuration
  • Corrected policy support on files larger than 2gb prior to the RBAC system being enabled
  • An update to the latest version of PaX which includes numerous bugfixes


Due to Linux kernel developers continuing to silently fix exploitable bugs (in particular, trivially exploitable NULL ptr dereference bugs continue to be fixed without any mention of their security implications) we continue to suggest that the 2.6 kernels be avoided if possible.

It is not clear if the PaX Team will be able to continue supporting future versions of the 2.6 kernels, given their rapid rate of release and the incredible amount of work that goes into porting such a low-level enhancement to the kernel (especially now in view of the reworking of the i386/x86-64 trees). It may be necessary that grsecurity instead track the Ubuntu LTS kernel so that users can have a stable kernel with up-to-date security fixes. I will update this page when a final decision has been reached.

In the meantime, please email pageexec@freemail.hu and let him know how much you appreciate the hard work he has put in for the past 8 years. The accomplishments of the PaX Team have extended far beyond just Linux, and have today found their way into all mainstream operating systems.
[06/18] Note on PaX support for x86-64 kernels on Socket 478 Celeron D processors
The 64-bit Socket 478 Intel Celeron D processors lack NX support unlike other 64bit Intel/AMD chips. PaX currently only utilizes NX on 64bit kernels, but since the mentioned Celeron processors lack NX support, PaX's PAGEEXEC feature, though able to be selected in the kernel configuration, will not be active in the built kernel. Since the specific processor can only be detected at runtime, it's not possible to restrict the PAGEEXEC option in the kernel config. Owners of these CPUs are urged to build 32bit kernels and use SEGMEXEC to make full use of PaX with the smallest performance hit.
[01/22] Update on PaX expand_stack() vulnerability, updated patches
The recently updated grsecurity patches for 2.4 and 2.6 series kernels fixes the bug mentioned in the recently announced expand_stack() security advisory. To clear up some ambiguities and misleading statements from the advisory, the vulnerability actually does not exist within the expand_stack() function, it applies only to systems with the SEGMEXEC feature enabled (i386 arch only as x86-64 uses PAGEEXEC), and applies to both the 2.4 and 2.6 patches released prior to 01/21.

We are erring on the side of caution and calling this bug exploitable, though we believe reliable exploitation of the bug (in the privilege escalation sense, not the DoS sense) to be very difficult, especially in the presence of KERNEXEC/UDEREF.

Using the RBAC system's PaX flag support to enforce system-wide MPROTECT enabling could have prevented triggering of the bug, since it requires the creation of an executable stack to trigger the vma mirroring bug.
[01/12] grsecurity 2.1.10 released for Linux 2.4.34/2.6.19.2
grsecurity 2.1.10 was released today for Linux 2.4.34 and 2.6.19.2. Changes in this release include:
  • Fixes to PaX flag support in RBAC system
  • PaX updates for non-x86 architectures in 2.4.34 patch
  • Fix for setpgid in chroot problem reported on forums
  • Removal of randomized PIDs feature, since it provides no useful additional security and wastes memory with the 2.6 kernel's pid bitmap
  • Fixed /proc usage in a chroot in 2.6 patch
  • Added admin role to generated policy from full learning
  • Resync of PaX code in 2.4 patch
[12/15] grsecurity 2.1.9 updated for Linux 2.4.33.4/2.6.19.1
grsecurity has been updated for the 2.4.33.4 and 2.6.19.1 Linux kernels. Changes include PaX updates involving the removal of RANDEXEC from the codebase (which had been removed from the configuration for several releases), and x86_64 support for disabling of raw I/O. There have been no changes to gradm.
[10/07] grsecurity 2.1.9 updated for Linux 2.6.18
grsecurity has been updated for the 2.6.18 Linux kernel. Gradm has been updated as well to perform an additional check for bad policies.
[09/03] grsecurity 2.1.9 updated for Linux 2.4.33.3/2.6.17.11
grsecurity 2.1.9 has been updated for the 2.4.33.3 and 2.6.17.11 Linux kernels. Changes include minor PaX changes, stealth module fixes for 2.6, and a change to the patch for the 2.4 Makefile so that each upcoming 2.4.x.y release won't require a new grsecurity patch to patch all files cleanly.
[08/23] grsecurity 2.1.9 updated for Linux 2.4.33.2/2.6.17.11
grsecurity 2.1.9 has been updated for the 2.4.33.2 and 2.6.17.11 kernels. A bug in the 2.4 kernel that caused the kernel not to boot when UDEREF was enabled has been fixed. Other minor changes were made to PaX and gradm.
[08/13] grsecurity 2.1.9 updated for Linux 2.4.33/2.6.17.8
grsecurity 2.1.9 has been updated for the 2.4.33 and 2.6.17.8 Linux kernels. Changes were minor: fix a crash on shutdown with PaX's uderef feature, correct sysctl error code in grsecurity, and fixed compiler warnings in the stealth module on the 2.6 patch.

Site design by Hal Bergman