[linux-latest] 04/04: linux-image: Add NEWS for security hardening config changes for Linux 4.8

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Oct 29 01:26:20 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux-latest.

commit d265c8bca3901197765450bd33bce478e759ea30
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Oct 29 02:16:21 2016 +0100

    linux-image: Add NEWS for security hardening config changes for Linux 4.8
---
 debian/changelog        |  1 +
 debian/linux-image.NEWS | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8757cc8..a44e3d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ linux-latest (76) UNRELEASED; urgency=medium
   * linux-image-{686-pae,amd64}: Delete old NEWS
   * linux-image: Add back-dated NEWS for conntrack helpers change in Linux 4.7
     (Closes: #839632)
+  * linux-image: Add NEWS for security hardening config changes for Linux 4.8
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 29 Oct 2016 01:51:27 +0100
 
diff --git a/debian/linux-image.NEWS b/debian/linux-image.NEWS
index 5a824ac..6ebf22c 100644
--- a/debian/linux-image.NEWS
+++ b/debian/linux-image.NEWS
@@ -1,3 +1,21 @@
+linux-latest (76) unstable; urgency=medium
+
+  * From Linux 4.8, several changes have been made in the kernel
+    configuration to 'harden' the system, i.e. to mitigate security bugs.
+    Some changes may cause legitimate applications to fail, and can be
+    reverted by run-time configuration:
+    - On 64-bit PCs (amd64), the old 'virtual syscall' interface is
+      disabled.  This breaks (e)glibc 2.13 and earlier.  To re-enable it,
+      set the kernel parameter: vsyscall=emulate
+    - On most architectures, the /dev/mem device can no longer be used to
+      access devices that also have a kernel driver.  This breaks dosemu
+      and some old user-space graphics drivers.  To allow this, set the
+      kernel parameter: iomem=relaxed
+    - The kernel log is no longer readable by unprivileged users.  To
+      allow this, set the sysctl: kernel.dmesg_restrict=0
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sat, 29 Oct 2016 02:05:32 +0100
+
 linux-latest (75) unstable; urgency=medium
 
   * From Linux 4.7, the iptables connection tracking system will no longer

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-latest.git

More information about the Kernel-svn-changes mailing list