lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 25 Dec 2016 22:19:21 +0100
From: BENCSATH Boldizsar <boldi@...sys.hu>
To: fulldisclosure@...lists.org
Subject: [FD] kernel vuln status question - how can I be protected

Dear kernel maintainers, specialists,

Regarding latest kernel vulns, like CVE-2016-8655, there were some
reports how and where ubuntu/debian/redhat distributions fixed the problem.

However, I could not find clear indications about fixes in plain vanilla
kernel sources. No indication on LTS, and of course nothing on the
others. O.K. there is a patch for the particular CVS+kernel version, but
it is rather not evident to people that they must not go and install a
recent 3.16.39 as it is not fixed. I really could not find out details
and exact information no matter how I tried to find on googole. What
about having a channel to get latest information? What about having LTS
not just patches but information feed. Or what about sending out
additional information added to actual security patches how it
should/would/had affect to other versions.

Of course, maybe there is a trivial solution on that, e.g. I did not see
some notes, but I'm afraid I'm right and zillions of admins simply do
not know if they are vulnerable or not.

So is there a plan for 3.16.39 patch? What about 3.2 3.4 and similar?
Should one use the existing af_packet patch? Or from now on we should
trust on vendors (Debian, Redhat or Andorid... ) and it recommended to
avoid bjuilding kernel from scratch now?

b.


-- 
Boldizsar BENCSATH PhD
Laboratory of Cryptography and Systems Security
http://www.crysys.hu/
Dept. of Telecommunications  - BME VIK HIT TSz.
Budapest University of Technology and Economics
Tel: +36 1 463 3422; Fax: +36 1 463 3263; M: +36 30 9902317
H-1111 Budapest, Magyar tudósok körútja 2. I ép. E.433.
email: bencsath.boldizsar@...l2011.crysys.hit.bme.hu

	



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ