Saturday, March 05, 2005

PaX changing hands

Due to a spectacular fuckup, PaX will be changing hands on April 1, 2005. The GrSecurity team will be picking up the PaX code base after then.

A little background, PaX and GrSecurity are each run by one developer, in reality. "The PaX Team" is made up of a single anonymous entity who took the initiative in 2000 to create what may very well be capable of stopping over half of security exploits before they occur. The same person has been maintaining PaX since its initial release in October, 2000, four and a half years ago.

The potential impact can't be measured yet. Brad Spengler isn't exactly clueless; however, there is stil the considerable loss of the PaX lead developer. Eric Steven Raymond made the accurate observation that creative minds are a valuable, limited resource and shouldn't be wasted. While handing off PaX is in itself not potentially disasterous, the permenant loss of a mind as creative as its original developer is mournful.

While specific details are yet unreleased, the PaX vulnerability is a bug in the VMA mirroring implemented in September, 2002 (there's a typo in the announcement that says 2003). This mirroring is used to allow random placement of fixed position code (RANDEXEC) and the second NX emulation method on x86 (SEGMEXEC). Implementations using the original and improved PAGEEXEC method without the affected methods compiled into the kernel are not vulnerable.

There have been new versions of PaX and GrSecurity released to cover the bug. There hasn't been a PaX release since 2.6.7; GrSecurity has been using experimental ports that only the inner circle surrounding the projects are privy to directly. At this time, the newly released patches are a required critical security update, and so official PaX patches have been released for Linux 2.6.11. Please upgrade to 2.6.11 with the new PaX or GrSecurity ASAP.


Anonymous Anonymous said...

Why was there no follow on bankruptcy then? The bailout of AIG FP went to (wow power leveling) hedge funds that bound credit swaps on Lehman failing or others betting on rating (wow power leveling) declines. AIG has drained over 100 billion from the government. Which had to go to those who bet on failures and downgrades. Many of whom (power leveling)were hedge funds. I-banks that had offsetting swaps needed the money from the AIG bailout or they would have been caught. Its an (wow powerleveling) insiders game and it takes just a little bit too much time for most people to think (wow gold) through where the AIG 100 billion bailout money went to, hedge funds and players, many of whom hire from the top ranks of DOJ, Fed, Treasury, CAOBO
wow goldwow goldwow goldwow gold CAOBO

9:50 PM  
Blogger office said...

The Tax Return Crack-Up<4>
Realizing he might have dug himself in there,Microsoft Office 2010the general emphasized that Office 2010he had spent some time as a junior Office 2007officer working "very closely Microsoft Officewith the Israeli air force" and that heMicrosoft Office 2007had found that "more cosmopolitan,Office 2007 key liberal version of the Israeli population" Office 2007 downloadto be just chock full Office 2007 Professionalof that sort of "goodwill" necessary Windows 7to give a bunch of land back Microsoft outlook 2010to the Palestinians.

4:18 AM  

Post a Comment

<< Home