<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<div class="moz-cite-prefix">On 21/08/19 00:24, Rich Brown wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9C18EC22-5234-4C2F-BC79-F86E7B6D962C@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 20, 2019, at 5:32 PM, Rosen Penev <<a
href="mailto:rosenp@gmail.com" class=""
moz-do-not-send="true">rosenp@gmail.com</a>> wrote:</div>
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal; font-weight:
normal; letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px; float:
none; display: inline !important;" class="">... Issues are
more nuanced than this though. These same people</span><br
style="font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
</blockquote>
</div>
<div>
<blockquote type="cite" class="">
<div class="">
<div class="Singleton"><span style="font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">several months ago
mentioned a serious ASLR weakness with MIPS.</span><br
style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">Patches went in the kernel
for it. </span></div>
</div>
</blockquote>
<div><br class="">
</div>
Does this mean that snapshot builds (with current kernels) now
protect against that MIPS vulnerability? What about the stable
builds?</div>
<div><br class="">
</div>
</blockquote>
<p>ASLR is not enabled on OpenWrt (as I said in a mail a few seconds
ago) so any vulnerability in ASLR is irrelevant.<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:9C18EC22-5234-4C2F-BC79-F86E7B6D962C@gmail.com"><br>
<div><br class="">
</div>
<div>What statements/assertions can we make about whether these
are used to create release or snapshot builds? Thanks to all who
can contribute info.</div>
<div><br class="">
</div>
<br>
</blockquote>
<p><br>
</p>
<p>In my other message I pointed to the source of the build system
with the default options for various stuff.</p>
<p>The same hardening options are used for both release and snapshot
releases afaik. <br>
</p>
<p>They differ only in default package selection (and on source
version used of course)</p>
<p>-Alberto<br>
</p>
</body>
</html>