Linux 3.2: backports some features from mainline kernel (3.7)?
Hi, Kernel 3.7 is officially out. This Linux release includes many improvements practically in every aspect. Many changes also concerns security. Very interesting are: Cryptographically-signed kernel modules and - long awaited - symlink and hardlink restrictions (already in Linux 3.6), but it broke some programs, so it has been disabled by default, right? Those features/changes are very interesting from security point of view. With signed kernel modules, various distributions can lock down their kernels. symlink and hardlink are just a long-standing, much needed class of security. I would like to ask, if some of 3.7 kernel features (such as those mentioned) will be backported to Testing kernel (3.2)? I know Wheezy has now been frozen and in consequences this means that no more new features will be added etc. But there is still some time to official release and those features, could be tested very well. Are there any plans to do this? Best regards!
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hi, daniel curtis sidetripp...@gmail.com (15/12/2012): Kernel 3.7 is officially out. This Linux release includes many improvements practically in every aspect. Many changes also concerns security. Very interesting are: Cryptographically-signed kernel modules and - long awaited - symlink and hardlink restrictions (already in Linux 3.6), but it broke some programs, so it has been disabled by default, right? from http://packages.debian.org/changelogs/pool/main/l/linux/linux_3.2.35-1/changelog.html | linux (3.2.29-1) unstable; urgency=low | … |* fs: Update link security restrictions to match Linux 3.6: | - Drop kconfig options; restrictions can only be disabled by sysctl | - Change the audit message type from AUDIT_AVC (1400) to |AUDIT_ANON_LINK (1702) | … | linux-2.6 (3.2.9-1) unstable; urgency=high | … |* fs: Introduce and enable security restrictions on links: | - Do not follow symlinks in /tmp that are owned by other users |(sysctl: fs.protected_symlinks) | - Do not allow unprivileged users to create hard links to sensitive files |(sysctl: fs.protected_hardlinks) (Closes: #609455) |+ This breaks the 'at' package in stable, which will be fixed shortly | (see #597130) | The precise restrictions are specified in Documentation/sysctl/fs.txt in | the linux-doc-3.2 and linux-source-3.2 packages. Anyway, I suspect you want to ask Linux kernel questions to Linux kernel maintainers (meaning debian-kernel@). Mraw, KiBi. signature.asc Description: Digital signature
External check
CVE-2011-4316: RESERVED CVE-2012-5577: RESERVED CVE-2012-5638: RESERVED CVE-2012-5640: RESERVED CVE-2012-6333: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50cd6d6d.T+zwS/ieu2povg7d%atomo64+st...@gmail.com
