[linux-latest] 04/04: linux-image: Add NEWS for security hardening config changes for Linux 4.8
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Oct 29 01:26:20 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux-latest.
commit d265c8bca3901197765450bd33bce478e759ea30
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Oct 29 02:16:21 2016 +0100
linux-image: Add NEWS for security hardening config changes for Linux 4.8
---
debian/changelog | 1 +
debian/linux-image.NEWS | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 8757cc8..a44e3d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ linux-latest (76) UNRELEASED; urgency=medium
* linux-image-{686-pae,amd64}: Delete old NEWS
* linux-image: Add back-dated NEWS for conntrack helpers change in Linux 4.7
(Closes: #839632)
+ * linux-image: Add NEWS for security hardening config changes for Linux 4.8
-- Ben Hutchings <ben at decadent.org.uk> Sat, 29 Oct 2016 01:51:27 +0100
diff --git a/debian/linux-image.NEWS b/debian/linux-image.NEWS
index 5a824ac..6ebf22c 100644
--- a/debian/linux-image.NEWS
+++ b/debian/linux-image.NEWS
@@ -1,3 +1,21 @@
+linux-latest (76) unstable; urgency=medium
+
+ * From Linux 4.8, several changes have been made in the kernel
+ configuration to 'harden' the system, i.e. to mitigate security bugs.
+ Some changes may cause legitimate applications to fail, and can be
+ reverted by run-time configuration:
+ - On 64-bit PCs (amd64), the old 'virtual syscall' interface is
+ disabled. This breaks (e)glibc 2.13 and earlier. To re-enable it,
+ set the kernel parameter: vsyscall=emulate
+ - On most architectures, the /dev/mem device can no longer be used to
+ access devices that also have a kernel driver. This breaks dosemu
+ and some old user-space graphics drivers. To allow this, set the
+ kernel parameter: iomem=relaxed
+ - The kernel log is no longer readable by unprivileged users. To
+ allow this, set the sysctl: kernel.dmesg_restrict=0
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sat, 29 Oct 2016 02:05:32 +0100
+
linux-latest (75) unstable; urgency=medium
* From Linux 4.7, the iptables connection tracking system will no longer
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-latest.git
More information about the Kernel-svn-changes
mailing list