grsecurity 3.1 for Debian

by on April 6th, 2015

This could be my last update for debian wheezy of grsecurity since jessie is almost ready and I’m planning to upgrade as soon as I can.
Anyway this 3.1 release updates the longterm stable branch of linux kernel to version 3.2.68 with grsecurity 3.1-20150402182.
Also its userland tool, gradm, has been updated to version 3.1-201503211320.
You should update your kernels since there are a lot of security bug fixes and a new feature (GRKERNSEC_CHROOT_RENAME) has been added to prevent root users from breaking out of a chroot jail “by exploiting a race condition between a rename of a directory within a chroot against an open of a symlink with relative path components. This feature will likewise prevent an accomplice outside a chroot from enabling a user inside the chroot to break out and make use of their credentials on the global filesystem.”
If you want to trust the chroot jail environments you have implemented you should apply this update as soon as you can.

Suricata 2.0.7 for Debian

by on April 4th, 2015

It took me a while but here is my debian stable (wheezy) packaged version of libhtp 0.5.17 and suricata 2.0.7.
This is a bugfix release so you are encouraged to upgrade as soon as you can (maybe after a little bit of testing).
Take your time to review the changelog.

Linux 3.19

by on February 10th, 2015

A new version of linux kernel is out to be compiled and used! Let’s see what news it brings.
In the hardware support we see that AMD HSA (Heterogeneous System Architecture) is closer to reality. HSA is a type of computer processor architecture that integrates central processing units and graphics processors on the same bus, with shared memory and tasks. With the landing of the AMDKFD driver (that will provide basic support for HSA with basic OpenCL kernels) it can be used in conjunction with AMD’s Radeon Gallium3D stack and their new HSA library.
Initial hardware support for Intel’s next-generation Skylake graphics has been added. Intel’s Memory Protection Extension (MPX) is a set of CPU instructions which brings increased robustness to software by checking pointer references. Intel MPX introduces new registers and new CPU instructions that operate on these registers. Modified compiler, runtime libraries and kernels can make use of these instructions to allow MPX hardware to prevent buffer overflow exploitation. This Linux release adds support in the Linux kernel. CPUs with MPX support are not yet in the market and will be introduced with the Intel Skylake and Goldmont microarchitectures.
ARM Coresight is an umbrella of technologies allowing for the debugging of ARM based SoC. ARM has developed a HW assisted tracing solution by means of different components, each being added to a design at systhesis time to cater to specific tracing needs. The Linux Coresight framework provides a kernel interface for the Coresight debug and trace drivers to register themselves with. It’s intended to build a topological view of the Coresight components based on a DT specification and configure the right series of components when a trace source gets enabled.
In the filesystem area Btrfs added support for fast and live device replacement, much faster and more efficient than adding the new device and removing the old one in separated commands. The new release include bettering off the RAID 5 and RAID 6 level support so that it’s closer to parity with the other supported RAID levels.
LZ4 compression has been added in SquashFS. It originally compressed its data with Gzip but for a few years now has supported LZMA and LZO. LZ4 is a lightweight compression algorithm and its implementation is intended for embedded systems with reduced CPU usage and lower memory overhead in comparison to Zlib.
This release also adds support for hole punching and preallocation in NFSv4.2 setups.
In the networking area this release includes infrastructure to support hardware switch chips. This include devices supporting L2/L3 but also various flow offloading chips, including switches embedded into SR-IOV NICs. Also included is a “rocker” driver for emulated switch chip implemented in qemu.
There are as always tons of minor changes and you can view all them starting from the changelog.

Suricata 2.0.6 for Debian

by on January 19th, 2015

This is another bugfix release for Suricata IDS/IPS for debian stable.
Everyone should upgrade as soon as possible since there are some evasion issues among the fixes.
Please take a minute of your time to read the changelog.

PHP-Suhosin 0.9.37.1 for Debian

by on December 17th, 2014

This is a hotfix release due to some bugs as stated in the short changelog:

“This hotfix release changes the newly introduced array index blacklist to not block ‘-‘ by default due to incompatibilities with widely used software.
Also, the version string shows ‘0.9.37.1’ now (without ‘-dev’).”

Please upgrade your packages and be sure to upgrade also the suhosin.ini file.

Suricata 2.0.5 for Debian

by on December 16th, 2014

A bugfix update for libhtp 0.5.16 and Suricata 2.0.5 has been released for our beloved debian stable wheezy.
I recommend you to upgrade since the bugs fixed were nasty and could lead to segfaults in some conditions.

Linux 3.18

by on December 10th, 2014

Even if one nasty lockup bug, present since last version 3.17, has not been found, Linus decided to go on and release a new kernel version.
And here are the relevant changes.
Starting with hardware improvements this release added new support for a lot of ARM SoCs (the Tegra based Chromebook is the most notable one) and added PCI support on ARM64 architectures.
ACPI and power management has seen a lot of improvements along with a faster suspend and resume on machines with many CPU cores (typically servers).
Note the better support for the upcoming AMD Carrizo APUs, Wacom tablet enhancements, better game controllers support and many new media drivers.
There have also been many USB subsystem changes.
In the filesystem area Btrfs now has a new recovery and repair support, fsync fixes and many cleanups.
F2FS has seen a lot of additions like atomic and volatile writes.
Numerous minor improvements in XFS and ext4.
Graphics shows as always a lot of improvements in DRM support for AMD Radeon, Intel and Nouveau drivers.
Talking about virtualization Xen has seen added an initial paravirtualized SCSI support.
Nftables continues to grow up with added support for masquerading (IPv4 and IPv6) and many other improvements.
Please take few minutes to read the full changelog.

Suhosin 0.9.37 for Debian

by on December 4th, 2014

A new release of Suhosin, a security PHP extension, is available for debian wheezy!
Please take few minutes to read the changelog of this version.
This debian package will try to install and update the new configuration file. It’s now really well documented so I advise you to do so. The old configuration file will be renamed so you can always see what was your previous configuration until you manually delete this file.
This new configuration file is provided as is and everything is disabled, even the extension itself. To enable it you have to uncomment the first line of /etc/php5/mods-available/suhosin.ini file:

;extension=suhosin.so

and run this command (if you are updating from my previous package you can skip this step):

php5enmod suhosin

You have to manually reload your apache configuration. This is because you can upgrade your production servers without having to rush and test your configuration before applying it.
It is recommended that you test this extension before putting it in production.
Remember that there is a useful suhosin.simulation directive that permits to log violations without blocking your applications.

grsecurity stable updates

by on November 25th, 2014

For your debian stable installation (wheezy) it’s time to update your grsecurity enabled kernel.
In my stuff page you can find version 3.0-3.2.64-201411231436 and its userland admin tool gradm, updated to version 3.0-201408301734.
As always you can download each package manually or use an automated install with my debian repositories.
Be aware that now grsecurity is offering an automated kernel build service that helps you configure and build your own kernel.
Visit the link above or the official site and e-mail Brad Spengler if you want to try this brand new service!

Linux 3.17

by on October 7th, 2014

Another Linux release, another post. Let’s see what’s new.
Over 250,000 lines of code were deleted due to the removal of a bunch (14) of old, unmaintained drivers.
Several new ARM devices are supported while some not so optimally supported ARM hardware has been stripped from the mainline kernel tree. Also ARM64 kernels can now be built with the -fstack-protector option to detect stack corruption.
The DMA-BUF cross-device synchronization has now proper fence (a fence can be attached to a buffer which is being filled or consumed by hardware, to allow userspace to pass the buffer without waiting to another device) and poll support along with other new functionality that affects many different kernel drivers.
An ACPICA update brings ACPI 5.1 support, faster hibernation, and basic work towards ACPI support on ARM. Another prominent change is the fix for the CPUfreq on-demand governor (faster and more power efficient).
Talking about virtualization there are many improvements inside KVM x86 and ARM support (KVM now works on big-endian ARM systems) and Xen can now boot using EFI under its Dom0.
In the filesystem area the main changes are for F2FS (fixes and improvements) and XFS (now has a sysfs interface).
Changes have been made to the timekeeping core in order to make it ready for the year 2038, the end of the world for unix-like OSes.
Take few minutes to have a look at the full changelog.