Linux users fall into three basic groups when it comes to the kernel. First, there are those who just use what the distribution supplies. Second, there are those who chose or build their own patchset. And finally, there are vanilla users who just grab whatever from kernel.org and use that.
From a security standpoint, it is usually better to use a patchset, whether it be your distribution's default kernel or something elaborate like Con Kolivas' or Alan Cox' patchets, or your own rolled on top of those. Usually these patchsets contain numerous security fixes to vulnerabilities discovered after stable release; and with the 2.6 development model, waiting for the next release could always mean more potential bugs.
The Hardened Gentoo team supplies a kernel on Gentoo Linux known as hardened-dev-sources. With the upcoming PaX release and a new GrSecurity, h-d-s is finally moving up to 2.6.10. This brings several security fixes and enhancements.
The new h-d-s includes the 2.6.10-ac8 patch, which brings numerous hardware and security fixes to 2.6.10. This fixes a number of vulnerabilities, including several found by the GrSecurity and PaX developers. The random poolsize sysctl integer overflow, RLIMIT_MEMLOCK bypass DoS, and SCSI IOCTL integer overflow are all fixed, as well as many others.
Capabilities are flags assigned to programs that give administrative access to the system, such as CAP_SYS_BOOT (shutdown/reboot) and CAP_SYS_MODULE (load modules). Included in h-d-s are LSM capability fixes to a local root exploit and a patch to enforce common sense in kernel configuration. The first patch is a vulnerability fix, while the second prevents capabilities from being built as a module. All standard Linux systems use capabilities as a major control barrier.
Many programs with privileged (root) access drop capabilities when they're loaded to reduce the damage possible if they are hijacked. When the capability module is loaded, all running privileged programs are given all capabilities. Programs which would have dropped caps are now running with all privileges. This means that any init scripts and services started before the capabilities module is loaded may suffer privilege elevation relative to their normal running mode. For this reason, capabilities should be built in if they are going to be used.
A local DoS in the i810 DRM (CAN-2004-1056) code was also fixed in h-d-s, preventing users from crashing X and displaying odd things on the screen. Support for a.out binaries is also disabled by default; modern Linux distributions run a pure ELF system. And of course, h-d-s features GrSecurity.
The h-d-s kernel also features netdev-random, a patch to gather entropy from network interrupt timing. Network interrupts occur whenever the network card receives data. The path of a packet between a server and a client is often littered with routers interacting with other network requests, and can be affected by electromagnetic noise as well. It is fairly infeasible that network interrupt timing could be significantly manipulated externally, and so this should be a good alternate source of entropy for /dev/random.
Aside from that, various hardware fixes—especially for sparc—are in h-d-s, along with VM patches to make the OOM killer more friendly; IP connection tracking fixes; squashfs; and a fix to the Deadline I/O Scheduler. Overall, the upcoming h-d-s release for 2.6.10 looks to be well rounded. It will be released soon, so Gentoo users should keep an eye out.