To quote from the kernel documentation:
> If you say Y here, the layouts of structures that are entirely
> function pointers (and have not been manually annotated with
> __no_randomize_layout), or structures that have been explicitly
> marked with __randomize_layout, will be randomized at compile-time.
> This can introduce the requirement of an additional information
> exposure vulnerability for exploits targeting these structure
> types.
>
> Enabling this feature will introduce some performance impact,
> slightly increase memory usage, and prevent the use of forensic
> tools like Volatility against the system (unless the kernel
> source tree isn't cleaned after kernel installation).
>
> The seed used for compilation is located at
> scripts/gcc-plgins/randomize_layout_seed.h. It remains after
> a make clean to allow for external modules to be compiled with
> the existing seed and will be removed by a make mrproper or
> make distclean.
>
> Note that the implementation requires gcc 4.7 or newer.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2
"Features
Merge #718: Introduce infra-cache-max-rtt option to config max retransmit timeout.
Bug Fixes
Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing
for one loop pass'.
Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT
on outbound tcp sockets.
Fix verbose EDE error printout.
Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
For windows crosscompile, fix setting the IPV6_MTU socket option
equivalent (IPV6_USER_MTU); allows cross compiling with latest cross-compiler versions.
Merge PR 714: Avoid treat normal hosts as unresponsive servers. And fixup the lock code.
iana portlist update.
Update documentation for 'outbound-msg-retry:'.
Tests for ghost domain fixes."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
> Significance: Critical
>
> In support of Kernel Address Space Layout Randomization (KASLR) this randomizes
> the physical address at which the kernel image is decompressed and the virtual
> address where the kernel image is mapped as a security feature that deters
> exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things
may have been improved, so let's give this low-hanging fruit another
try.
Fixes: #12363
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Studies reveal intelligent life before the first cup of coffee is
possibly in theory, but does not exist in practice.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Stopping services before potentially tampering with files they use is a
more sane approach than doing the latter and hope the running service
can cope with it. Suricata, at least, reportedly doesn't.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
If available, the kernel will enable IOMMU (a/k/a DMA remapping) by
default on boot. To tools making use of that, particularly hypervisors,
this provides better security without any downsides.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Please refer to https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.57
for the changelog of this version. Since it introduces
architecture-dependent rootfile changes due to CPU side-channel
mitigations, changes to ARM rootfiles have been omitted due to the lack
of hardware.
Supposed hardening changes will be submitted separately.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
The second version of this patch uses @ instead of / for sed delimiters,
which makes the command less hard to read. Since Core Update 170 already
requires a reboot at this point, the respective directive is omitted.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://blog.clamav.net/2022/07/clamav-01037-01041-and-01051-patch.html
"ClamAV 0.105.1 is a critical patch release with the following fixes:
Upgrade the vendored UnRAR library to version 6.1.7.
Fix issue building macOS universal binaries in some configurations.
Silence error message when the logical signature maximum functionality
level is lower than the current functionality level.
Fix scan error when scanning files containing malformed images that
cannot be loaded to calculate an image fuzzy hash.
Fix logical signature "Intermediates" feature.
Relax constraints on slightly malformed ZIP archives that contain
overlapping file entries."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.31/doc/arm/html/notes.html#notes-for-bind-9-16-31
Excerpt from changelog:
" --- 9.16.31 released ---
5917. [bug] Update ifconfig.sh script as is miscomputed interface
identifiers when destroying interfaces. [GL #3061]
5915. [bug] Detect missing closing brace (}) and computational
overflows in $GENERATE directives. [GL #3429]
5913. [bug] Fix a race between resolver query timeout and
validation in resolver.c:validated(). Remove
resolver.c:maybe_destroy() as it is no loger needed.
[GL #3398]
5909. [bug] The server-side destination port was missing from dnstap
captures of client traffic. [GL #3309]
5905. [bug] When the TCP connection would be closed/reset between
the connect/accept and the read, the uv_read_start()
return value would be unexpected and cause an assertion
failure. [GL #3400]
5903. [bug] When named checks that the OPCODE in a response matches
that of the request, if there is a mismatch named logs
an error. Some of those error messages incorrectly
used RCODE instead of OPCODE to lookup the nemonic.
This has been corrected. [GL !6420]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
