<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 05/12/2015 02:04 AM, <a class="moz-txt-link-abbreviated" href="mailto:apoc@keemail.me">apoc@keemail.me</a> wrote:<br>
<blockquote cite="mid:Jp6MdSY----0@keemail.me" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Hello!
<div>I'm interested in the security audit performed by Solar
Designer in 2005, which is mentioned in the "Security" section
of the openvz website.</div>
<div><br>
</div>
<div>Is there a reason why it's still not publicly available?</div>
</blockquote>
<br>
It was never meant to be released to the general public, it was an
internal audit.<br>
<br>
Having said, I can share some details I do remember. It was OpenVZ
2.6.8-based kernel,<br>
and Solar used a few different techniques, both advanced (like fuzzy
syscall testing) and<br>
simple (good ol' source code reading). He was able to find one bug
specific to OpenVZ,<br>
which was immediately fixed, and three security vulnerabilities that
were not<br>
OpenVZ-specific and came from the upstream kernel -- those were also
reported,<br>
fixed in upstream and backported to our kernel. That's pretty much
it.<br>
<br>
Note Solar also uses OpenVZ kernels in Openwall GNU/*/Linux distro
(<a class="moz-txt-link-freetext" href="http://www.openwall.com/Owl/">http://www.openwall.com/Owl/</a>).<br>
<br>
Kir.<br>
</body>
</html>