Hello All,
The latest bi-weekly "release" branch build of SmartOS is up:
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2
A generated changelog is here:
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20151001T070028Z
The full build bits directory, for those interested, is here in Manta:
/Joyent_Dev/public/SmartOS/20151001T070028Z
# Highlights
- Important security fix. See the "DTrace Vulnerability Fixes" section
below.
- ZFS now supports the following checksums: SHA-2 512/256, Skein, and
Edon-R.
They can be set on a dataset by updating the checksum property with
zfs(1M).
# DTrace Vulnerability Fixes
Through HP's Zero-Day Initiative, we were made aware of two security issues
with illumos that, used together and in the hands of a determined attacker,
constitute a serious vulnerability for SmartOS-based systems. Both issues
are
related to DTrace: one leverages an information leak in the copyout()
action,
and the other kernel data corruption that can be induced with malicious DIF.
(Both issues are impossible to induce for/by those that don't have DTrace
privileges -- meaning that many other systems that have DTrace are not
actually at risk because they do not expose DTrace to non-privileged users.)
Both issues have been resolved in both SmartOS (as issue OS-4791 in
commit a4576cefa3c93914bfe1d3a5565ed338e9bdb105) and upstream in illumos (as
issue #6266 in commit 395c7a3dcfc66b8b671dc4b3c4a2f0ca26449922).
Those in a position to upgrade to the latest platforms are encouraged to do
so. For those who would prefer to inoculate their systems without rebooting
them, we are providing hotpatches for these issues:
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/hotpatches/ZDI-CAN-3263-hotpatch.sh
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/hotpatches/ZDI-CAN-3284-hotpatch.sh
Note that the latter of these (ZDI-CAN-3284-hotpatch.sh) will disable the
DTrace copyout() action entirely, which for most will be a non-issue as it's
an arcane and destructive action. If the former of these
(ZDI-CAN-3263-hotpatch.sh) fails for you, please let us know and we will
develop a version that works for your system.
We are deeply indebted to security researcher Ben M. Murphy (who found these
issues) and to HP and their Zero-Day Initiative for providing them to us in
a
responsible manner. Thanks are also due to the illumos security community
for
their assistance in getting these important fixes upstream as quickly as
possible.
# General Info
Every second Thursday we roll a "release-YYYYMMDD" release branch and
builds for SmartOS (and SmartDataCenter and Manta, as well).
Cheers,
Trent, on behalf of the SmartOS developers
https://smartos.org
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
