Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release

To: debian-security@lists.debian.org
Subject: Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
From: Christophe Chisogne <christophe@publicityweb.com>
Date: Thu, 13 Jan 2005 15:38:38 +0100
Message-id: <[🔎] 41E687EE.7010303@publicityweb.com>
In-reply-to: <[🔎] 200501131053.40770.jluehr@gmx.net>
References: <[🔎] 200501121745.43535.jluehr@gmx.net> <[🔎] 200501122210.23676.jluehr@gmx.net> <[🔎] 41E63A0A.4040904@publicityweb.com> <[🔎] 200501131053.40770.jluehr@gmx.net>

Jan Lühr a écrit :

Will kernel-source-2.4.27 be available in days or weeks?


I guess days, since security fixes often means 'priority=high'.
There are people working on it, ex Simon Horman. More infos:

activity on kernel-source-2.4.27-2.4.27 (svn, Debian subversion)
http://svn.debian.org/wsvn/kernel/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/?rev=0&sc=1

The incoming kernel-source-2.4.27-8 changelog
http://svn.debian.org/wsvn/kernel/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog?op=file&rev=0&sc=1

Well, running an rc-/pre-release on a production server is quite risky. Btw.


Indeed, but some security fixes are already there. And 2.4 kernels
are largely stable enough for my needs, even on prod servers.

AFAIK kernel.org recommend not using their kernels, because they give nosecurity support.


I didnt knew this. I only check their 2.4 changelog from time to time,
and sometimes sees security fixes. But they are often not taggued
'security', so I had to 'grep' for 'out of bounds', 'race', 'fix'...
With Debian kernels, the job is already done for you :)

I thought the security fixes (say from Distro xyz) were quickly
backported to kernel.org, and were often fixed first by kernel.org.
Perhaps I'm wrong on this, I'm just guessing

Easiest way is to install Debian kernels when they are released,
but I fear Sarge 2.4.27 kernel has better security support
than woody 2.4.18 kernel. So I use woody with sarge's kernel.

Thanks. Using kernel-source.2.4.24 from seems to be a good option.


You mean 2.4.27, not 2.4.24 / 2.4.18

Can the openwall / grsecurity patches be applied to kernel-source-2.4.27?


No idea. But I'm interested in more secure kernels too (buffer overflow
protection, selinux, adamantix, grsecurity etc). Perhaps there are infos
on the debianhardened project, but I dont have time now to check this.

http://sourceforge.net/projects/debianhardened
http://www.debian-hardened.org/wiki

Christophe

Reply to:

References:
- CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
  - From: Jan Lühr <jluehr@gmx.net>
- Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
  - From: Jan Lühr <jluehr@gmx.net>
- Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
  - From: Christophe Chisogne <christophe@publicityweb.com>
- Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
  - From: Jan Lühr <jluehr@gmx.net>

Prev by Date: Security - avarage user point of view
Next by Date: Just typo in DSA
Previous by thread: Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
Next by thread: Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
Index(es):
- Date
- Thread