Package: linux Version: 4.9.2-2 Severity: wishlist Hi,
current Linux kernels in Debian are compiled with CONFIG_LEGACY_VSYSCALL_EMULATE: $ grep LEGACY_VSYSCALL /boot/config-4.9.0-1-* /boot/config-4.9.0-1-amd64:# CONFIG_LEGACY_VSYSCALL_NATIVE is not set /boot/config-4.9.0-1-amd64:CONFIG_LEGACY_VSYSCALL_EMULATE=y /boot/config-4.9.0-1-amd64:# CONFIG_LEGACY_VSYSCALL_NONE is not set /boot/config-4.9.0-1-rt-amd64:# CONFIG_LEGACY_VSYSCALL_NATIVE is not set /boot/config-4.9.0-1-rt-amd64:CONFIG_LEGACY_VSYSCALL_EMULATE=y /boot/config-4.9.0-1-rt-amd64:# CONFIG_LEGACY_VSYSCALL_NONE is not set According to this post: https://outflux.net/blog/archives/2016/09/27/security-things-in-linux-v4-4/ this option weakens the kernel, details here: https://googleprojectzero.blogspot.fr/2015/08/three-bypasses-and-fix-for-one-of.html Since Debian has a recent enough glibc since at least jessie, could you please activate the CONFIG_LEGACY_VSYSCALL_NONE option ? I am running a test system with the vsyscall=none kernel parameter and saw no problem. See also this page: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project Thanks, -- Laurent.
