security [ARCHIVED] February 2016

security@lists.fedoraproject.org

5 participants
2 discussions

NM generated IPv6 addresses leak your MAC address
by Chris Murphy 12 Feb '16

12 Feb '16

https://bugzilla.redhat.com/show_bug.cgi?id=1279242 The gist of this bug is that NetworkManager on Fedora 23 and Rawhide does not have RFC4941 privacy extensions enabled. So the IPv6 address is predicated on a real MAC address (at least on baremetal) and the address is not temporary and is never deprecated. This is reported to have worked correctly on Fedora 22. Could this be assessed for security impact, in particular as it relates to Fedora release criteria? https://fedoraproject.org/wiki/Fedora_24_Final_Release_Criteria#Security_bu… How would this get fixed with an update? Is there a mechanism to sed the user configuration to change ipv6.ip-privacy to 2? Or is this something that's likely stuck with a value of -1 for the live of the release, unless the user manually makes a change? Thanks, -- Chris Murphy

4 4

Use suid_dumpable=2 for development releases
by Jakub Filak 11 Feb '16

11 Feb '16

Hello, As an ABRT maintainer, I have been asked several times why ABRT does not catch crashes of many processes and one kind of reasons dominate among other reasons - processes that executes set-user-ID programs (man 5 core). These processes are not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5 proc) which is the default value. With the default suid_dumpable value, crashes caused by SIGABRT are not detectable because kernel doesn't even write a log message about that. The default value 0 is there for good security reason, but I would like to propose changing the default value to 2 for development Fedora releases (Alpha, Beta, Rawhide). In this case, kernel would send core dump to ABRT (or systemd-coredump) and the ABRT record would be accessible only to root. I believe that maintainers of packages like chrony will be really delighted with this change, while will not weaken security of Fedora for regular users. Regards, Jakub

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security [ARCHIVED] February 2016