Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20161024053334.GA4644@openwall.com>
Date: Mon, 24 Oct 2016 07:33:34 +0200
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, owl-users@...ts.openwall.com
Subject: [openwall-announce] Owl security fixes: Linux kernel "Dirty COW", BIND DoS

Hi,

Linux kernel and BIND security updates are now available in Owl-current
and Owl 3.1-stable, documented as follows:

2016/10/23	Package: kernel
SECURITY FIX	Severity: high, local, active
Added a mitigation for the "Dirty COW" Linux kernel privilege escalation
vulnerability (CVE-2016-5195).
References:
http://www.openwall.com/lists/oss-security/2016/10/21/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195

2016/10/17 -
2016/10/21	Package: bind
SECURITY FIX	Severity: low, remote, active
Merged multiple DoS vulnerability fixes from Red Hat's package, most
notably for two easily triggerable assertion failures (CVE-2016-2776,
CVE-2016-2848).
References:
http://www.openwall.com/lists/oss-security/2016/09/27/8
https://kb.isc.org/article/AA-01419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
http://www.openwall.com/lists/oss-security/2016/10/20/7
https://kb.isc.org/article/AA-01433/74/CVE-2016-2848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848

These are currently available as source code changes and as pre-built
packages (in both branches, and for both i686 and x86_64), however there
are no updated ISOs and vztemplates yet.

The "Dirty COW" mitigation is likely non-final and possibly incomplete
(it addresses the MADV_DONTNEED vs. PTRACE_POKE* race, and possibly some
other scenarios), pending a properly tested backport of the official fix
(likely) by Red Hat, but given the urgency of the issue I felt it most
appropriate to start by releasing a non-invasive mitigation like this.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.