Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
Owl homepage
Other languages
Russian
Concepts
Architectures
Build environment
Installation instructions
Upgrade instructions
Download (HTTP, FTP, rsync, anoncvs)
CVSweb
Purchase CDs
Change logs
Changes in current
Changes in 3.0-stable
Changes up to 3.0
Changes in 2.0-stable
Changes up to 2.0
Changes in 1.1-stable
Changes up to 1.1
Changes up to 1.0
Changes in 0.1-stable
Artwork
Screenshots
Presentation slides
Wiki
OpenVZ virtualization
Packages
Owl VPS hosting
Owl in the news
This file lists the major changes made between Owl releases. While some of the changes listed here may also be made to a stable branch, the complete lists of stable branch changes are included with those branches and as errata for the corresponding Owl releases only.

This is very far from an exhaustive list of changes. Small changes to individual packages won't be mentioned here unless they fix a security or a critical reliability problem. They are, however, mentioned in change logs for the packages themselves.

Changes made between Owl 1.1 and Owl 2.0.

2006/01/18	Package: strace

Updated to 4.5.14.

2006/01/18	Package: pam

Updated to 0.99.3.0.

2006/01/18	Package: libutempter

Updated to 1.1.4.

2006/01/14	Package: nmap

Updated to 3.95.

2006/01/07 -
2006/01/11	Package: bash

Updated to 3.1 patchlevel 5.

2006/01/05	Package: postfix

Updated to 2.2.8.

2006/01/05	Package: glibc
SECURITY FIX	Severity: none to low, N/A, N/A

Corrected a bug in the way salts for extended DES-based and for MD5-based password hashes are generated with the crypt_gensalt*() family of functions; thanks to Marko Kreen for discovering and reporting this. The bug would result in a higher than expected number of matching salts with large numbers of password hashes of the affected types generated on an Owl system through a mechanism that uses the affected glibc functions (such as pam_tcb). If the password hashes would ever be compromised (e.g., by exploiting another vulnerability), it would be possible to test candidate passwords against them at a faster effective rate because of this bug. The Blowfish-based (bcrypt) hashes that Owl has always been using by default and the traditional DES-based crypt(3) hashes were not affected.

2005/12/30	Package: dialog

Updated to 1.0-20051219.

2005/12/27	Package: pam

Updated to 0.99.2.1. Moved pam_stack into a new pam-compat subpackage.

2005/12/27	Package: tcb

Implemented OpenPAM support. Updated pam_tcb to use new interfaces provided by Linux-PAM >= 0.99.1.0.

2005/12/26	Package: diffstat

Updated to 1.41.

2005/12/26	Package: hdparm

Updated to 6.3.

2005/12/25	Package: man

Updated to 1.6b.

2005/12/24	Package: gcc

Updated to 3.4.5.

2005/12/24	Packages: db4, pam, perl, postfix;
		Owl/build/{installorder.conf,installworld.sh}

Updated db4 to 4.2.52.

2005/12/24	Package: chkconfig

Updated to 1.3.25.

2005/12/23	Packages: libnet, libnids;
		Owl/build/installorder.conf

Updated libnet to 1.1.3-RC-01 and libnids to 1.20.

2005/12/18	Package: vim

Updated to 6.4 patchlevel 4.

2005/10/09 -
2005/12/16	Package: john

The handling of LM hashes has been enhanced to use case insensitive comparisons of the encodings when eliminating duplicate and already-cracked hashes at load time and when displaying cracked passwords. The way nouns ending in "z" and "h" are pluralized with the "p" wordlist rules command has been corrected. A workaround for OpenAFS has been added to unafs. Any charset file changes will now be detected when restoring sessions. The supplied charset files and password.lst have been updated. A new pre-defined "incremental" mode "Alnum" (for alphanumeric) has been added. A bug with the handling of break statements with nested loops in the external mode compiler has been fixed.

2005/12/13	Package: postfix

Updated to 2.2.7.

2005/12/11	Package: man-pages;
		Owl/build/installorder.conf

Updated to 2.16, including the addition of POSIX man pages in their own subpackage.

2005/12/08	Package: findutils

Updated to 4.2.27.

2005/12/06	Package: perl

Backported upstream fix for a potential integer overflow in perl format string functionality. Third-party software which passes untrusted input into format strings may allow attackers to overwrite arbitrary memory in the Perl interpreter and possibly execute arbitrary code via format string specifiers with large values. Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962

2005/11/27	Package: vsftpd

Updated to 2.0.3.

2005/11/26	kernel

Updated to Linux 2.4.32-ow1.

2005/11/22	Package: gnupg

Updated to 1.4.2.

2005/11/18	Package: libpcap

Updated to 0.9.4.

2005/11/16	Package: cpio
SECURITY FIX	Severity: high, local, passive

Backported upstream fix for a potential stack-based buffer overflow in cpio. When cpio is used by a privileged user to archive files created by a less privileged user, it is possible to overflow a buffer on the stack with a very large sparse file. This issue only affects 64-bit platforms. Reference:
http://lists.gnu.org/archive/html/bug-cpio/2005-11/msg00004.html

2005/11/16	Package: grep

Updated to 2.5.1a.

2005/11/14	Packages: traceroute, iputils;
		Owl/build/installorder.conf

Replaced traceroute with Olaf Kirch's implementation. Packaged traceroute6 binary within traceroute package.

2005/11/14	Package: cvs

Updated to 1.11.21.

2005/11/13	Package: postfix

Introduced "postqueue" control(8) facility to restrict queue views and runs.

2005/11/12	Package: tar

Updated to 1.15.1 with backported fixes from tar CVS and patches from ALT Linux and Debian.

2005/11/12	Package: quota

Updated to 3.13.

2005/11/12	Package: patch

Updated to 2.5.9.

2005/11/12	Package: sed

Updated to 4.1.4.

2005/11/11	Package: indent

New package: a program for formatting C source code.

2005/11/09	Package: glibc

Updated to 2.3.6.

2005/11/08	Packages: tinycdb, pcre, postfix, nmap

New packages: constant database library, Perl-compatible regular expression library. Enabled CDB database type and PCRE lookup tables support in Postfix.

2005/11/07	Package: coreutils

Updated to 5.93.

2005/10/30	Package: procmail

Updated to 3.22 with patches from ALT Linux and Debian. Fixed a procmail bug which could result in mailbox corruption when running into a disk quota or a full partition.

2005/10/29	Packages: openssh, pam, popa3d, shadow-utils, SimplePAMApps,
		vixie-cron, vsftpd

Changed PAM config files to use new "include" directive.

2005/10/26	Package: modutils

Integrated module-init-tools for Linux 2.6.x readiness, based on patches from ALT Linux.

2005/10/24	Package: SysVinit

Updated to 2.86.

2005/10/23	Package: file

Updated to 4.16.

2005/10/23	Package: strace
SECURITY FIX	Severity: high, local, passive

Applied upstream fix for a potential buffer overflow in printpathn(). When "strace -p" is used by a privileged user to attach to a less privileged process, the latter may overflow a static fixed-size buffer with arbitrary data of arbitrary length.

2005/10/23	Package: zlib

Updated to 1.2.3.

2005/10/23	Package: coreutils

Updated to 5.92.

2005/10/23	Package: net-tools

Updated to 1.60.

2005/10/22	Package: m4

Updated to 1.4.4.

2005/10/21	Package: lilo

Updated to 22.7.1 with added patches both to LILO itself and to the mkrescue(8) script.

2005/10/20	Package: kbd

Updated to 1.12.

2005/10/20	Packages: openntpd, owl-etc;
		Owl/build/installorder.conf

New package: OpenNTPD is an NTP time synchronization server and client.

2005/10/20	Packages: setarch, sparc32;
		Owl/build/installorder.conf

sparc32 has been replaced with setarch, which is not limited to the SPARC architecture. setarch is an utility to set machine sub-architecture type and Linux kernel personality flags for individual program invocations.

2005/10/20	Package: silo

Updated to 1.4.9.

2005/10/20	Package: elfutils-libelf

Updated to 0.115.

2005/10/17	Package: rpm

Changed package upgrade algorithm to remove old files on "-U --force" even if package versions match. When comparing package versions on -U or -F, take build dates into account.

2005/10/11	Package: openssl
SECURITY FIX	Severity: low, remote, active

Applied upstream fix for potential SSL 2.0 rollback during SSL handshake. Applications using either SSL_OP_MSIE_SSLV2_RSA_PADDING or SSL_OP_ALL option miss a verification step in the SSL 2.0 server supposed to prevent active protocol-version rollback attacks. With this verification step disabled, an attacker acting as a "man in the middle" can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only. References:
http://www.openssl.org/news/secadv_20051011.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969

2005/09/30	Package: tcsh

Updated to 6.14.00.

2005/09/29	Package: cvs

Updated to 1.11.20 with many patches, primarily from ALT Linux.

2005/09/24	Packages: bind, owl-etc;
		Owl/build/installorder.conf

New package: the ISC BIND server.

2005/09/21	Package: cdk

New package: CDK is a widget set developed on top of ncurses.

2005/09/17	Package: findutils

Updated to 4.2.25.

2005/09/14	Package: util-linux
SECURITY FIX	Severity: none to high, local, active

Applied upstream fix to umount(8) to avoid unintentional grant of privileges by "umount -r". This only affected systems which made umount available to non-root users with control(8) (by default, only root can invoke umount) and specified any filesystems with restrictive flags (such as nosuid or nodev) as user-mountable. References:
http://marc.info/?l=bugtraq&m=112656096125857
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2876

2005/09/05	Package: john

All of the documentation has been updated to apply to the current version. The old John the Ripper 1.6 documentation has been removed.

2005/08/30	Package: procps

Updated to 3.2.5.

2005/08/23	Packages: pam, tcb, SimplePAMApps;
		Owl/build/installorder.conf

Updated PAM to 0.80. No longer build pam_pwdb, the tcb package will provide compatibility symlinks instead.

2005/08/18	Package: libutempter

Updated to 1.1.3.

2005/08/18	Package: sysklogd

Applied fixes from CVS snapshot 20050525, imported a few patches from ALT Linux.

2005/08/11	Package: postfix

Updated to 2.2.5.

2005/08/10	Package: strace

Updated to 4.5.13.

2005/08/08	Package: mtree

Updated to version from current OpenBSD (post-3.7). Fixed a number of bugs in mtree spec file creation and parsing, including with processing of filenames starting with the hash character ('#') or containing glob(3) wildcard characters, of comment lines ending with a backslash ('\\'), and of files not ending with a linefeed.

2005/08/03 -
2005/08/08	Package: owl-setup; Owl/doc/INSTALL

The shell scripts based Owl setup utility has finally been replaced by the new installer written in C++. There are two programs: "setup", which may be used to (re-)configure the current system (whether CD-booted or installed on a hard drive), and "settle", the Owl installer to be run off an Owl CD to install Owl on a hard drive.

2005/07/28	Package: openssh

Added delayed compression support for SSH protocol 2 (a back-port of the changes committed into the OpenBSD CVS repository recently), enabled in sshd by default. With the new default setting, sshd will only allow for compression to be enabled after authentication. Unfortunately, this requires SSH client support as well, meaning that old SSH protocol 2 clients will be unable to use compression with our new sshd at its default setting. SSH protocol 1 has always insisted on authentication prior to compression and thus is unaffected by this change. The rationale for the change is to reduce the exposure of potential vulnerabilities in the code associated with compression (in OpenSSH itself and in zlib). Thanks to Markus Friedl for working on this and for bringing it to our attention.

2005/07/07	Package: lilo

Updated to 22.7.

2005/06/30	Package: postfix

Updated to 2.2.4.

2005/06/28	Package: xinetd

Updated to 2.3.13.

2005/06/25	kernel

Updated to Linux 2.4.31-ow1.

2005/06/24 -
2005/06/25	Packages: elinks, lftp, mtree, mutt, nmap, openssh,
		openssl

Updated openssl to 0.9.7g.

2005/06/21	Package: vixie-cron

Implemented PAM accounting and session management support.

2005/06/11 -
2005/06/21	Package: findutils

Updated to 4.2.23.

2005/06/14	Packages: elfutils-libelf, ltrace

New package: elfutils-libelf provides a library for reading and writing ELF files on a high level. Updated ltrace to 0.3.36 (making use of libelf). This makes ltrace work for program binaries built with recent versions of binutils.

2005/06/11	Package: strace

Updated to 4.5.12.

2005/05/28 -
2005/05/29	Packages: binutils, gdb
SECURITY FIX	Severity: high, local, passive

Updated binutils to 2.15.94.0.2.2 and gdb to 6.3. Added sanity checks to BFD library and readelf utility to avoid integer overflows (where a specially crafted object file may lead to a heap-based buffer overflow), fixes for potential stack-based buffer overflows in readelf utility, and a fix for the .gdbinit issue in gdb. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1705

2005/05/26	Package: libtool

Updated to 1.5.18.

2005/05/26	Package: lftp

Updated to 2.6.12.

2005/05/20	Packages: gzip, bzip2;
		Owl/build/installorder.conf
SECURITY FIX	Severity: high, local, passive

Updated gzip to 1.3.5. Added fixes for directory traversal in gunzip (where a malicious gzipped file could specify file name to be extracted to outside of the intended directory tree when gunzip was used with the -N option), for race condition in the file permission handling code of gzip and gunzip, and fix of zgrep and bzgrep utilities to properly sanitize arguments. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758

2005/05/17	Package: diffutils

Updated to 2.8.7.

2005/05/06 -
2005/05/16	Package: bzip2

Updated to 1.0.3.

2005/05/15	Package: glibc

Updated to 2.3.5 with post-release changes from 2.3-branch, patches from ALT Linux, Red Hat Fedora, and SuSE, and with our modifications.

2005/04/16 -
2005/05/15	kernel
SECURITY FIX	Severity: high, local, active

Updated to Linux 2.4.30-ow1 and later to 2.4.30-ow3. Linux 2.4.30 (and thus 2.4.30-ow1) includes a hardening change which makes the ELF core dump vulnerability discovered by Paul Starzetz unexploitable. Linux 2.4.30-ow3 includes a real fix for said vulnerability. References:
http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1263

2005/05/05 -
2005/05/11	Package: cpio
SECURITY FIX	Severity: high, local, passive

Updated to 2.6. Added fixes for directory traversal (where a malicious archive could specify files to be extracted to outside of the intended directory tree) and for certain race condition issues. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1111

2005/05/07	Packages: coreutils, fileutils, sh-utils, textutils,
		shadow-utils; Owl/build/installorder.conf

Replaced fileutils, sh-utils, and textutils with coreutils (a recent CVS snapshot, post-5.3.0, with patches as maintained in ALT Linux Sisyphus).

2005/04/30	Package: bison

Updated to 2.0.

2005/04/25	Packages: automake, patchutils

Updated automake to 1.9.5.

2005/04/25	Package: texinfo

Updated to 4.8.

2005/02/28 -
2005/04/20	Package: john

Implemented a number of bitslice DES set_key*() optimizations resulting in speedups for LM hashes, as well as for traditional DES-based crypt(3) hashes when only a handful of hashes are loaded.

2005/04/10	Package: dhcp

dhcpd(8) and dhcrelay(8) will now drop privileges by default (rather than only when the appropriate command line options are given). Previously, they would fail to work when no privilege reduction was requested (a bug).

2005/03/28	Package: telnet
SECURITY FIX	Severity: high, remote, passive

Corrected the slc_add_reply() and env_opt_add() buffer overflows which might have allowed a malicious Telnet server to execute arbitrary machine code within the context of the telnet client process used to connect to the server. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

2005/03/25	Package: e2fsprogs

Updated to 1.37.

2005/03/14	Package: vixie-cron

Updated to 4.1 as found in OpenBSD CVS snapshot dated 2004/09/16, with further modifications by Owl and ALT Linux teams. This package now also provides at(1) and related commands.

2005/03/05	Package: iproute2

Added a patch to support HTB qdisc, see tc-htb(8) man page. Reference:
http://luxik.cdi.cz/~devik/qos/htb/

2005/02/22 -
2005/03/03	Package: glibc

The OpenBSD-derived strlcpy(3) and strlcat(3) functions are now included in libc_nonshared.a such that they're available with dynamic linking but are nevertheless linked in statically in order to make sure that no programs become dependent on the presence of these extensions in the shared library. The strlcpy(3) and strlcat(3) man pages have been added.

2005/02/19 -
2005/02/21	Package: psmisc

Updated to 21.5.

2005/02/06	Package: perl
SECURITY FIX	Severity: low, local, passive

Corrected File::Path::rmtree to never make directories and files world-read/writable and updated its documentation to reflect the remaining security and reliability problems. Thanks to Jeroen van Wolffelaar for discovering this problem and reporting it to Debian. Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452

2005/02/06	Package: cpio
SECURITY FIX	Severity: low, local, passive

Obey the current umask when creating output files; previously, the files would be created with mode 666. Thanks to Mike O'Connor for bringing this up. Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1572

2005/01/20	kernel
SECURITY FIX	Severity: high, local, active

Updated to Linux 2.4.29-ow1. Linux 2.4.29, and thus 2.4.29-ow1, adds a number of security fixes, including to the x86/SMP page fault handler and the uselib(2) race conditions, both discovered by Paul Starzetz. The potential of these bugs is a local root compromise. The uselib(2) bug does not affect default builds of Linux kernels with the Openwall patch applied since the vulnerable code is only compiled in if one explicitly enables CONFIG_BINFMT_ELF_AOUT, an option introduced by the patch. References:
http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0001
http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1235

2005/01/12 -
2005/01/20	Packages: gcc, glibc, SysVinit, crontabs, db4, dhcp,
		fileutils, gpm, ipchains, lilo, ltrace, mtree,
		net-tools, procps;
		Owl/build/.rpmmacros;
		Owl/build/{installorder.conf,installworld.sh}

Updated to GCC 3.4.3 and a post-2.3.3 glibc snapshot. Fixed whatever packages this broke.

2005/01/15	Package: psmisc

In pstree(1), implemented support for displaying multiple accessible subtrees when running with the "restricted /proc" kernel patch.

2004/12/04	Package: gnupg

Updated to 1.2.6.

2004/11/28	Package: hdparm

Updated to 5.8.

2004/11/26	Package: patchutils

New package: a collection of programs that operate on patch files.

2004/11/23 -
2004/11/28	kernel; Package: net-tools
SECURITY FIX	Severity: low to high, local/remote, active/passive

Updated to Linux 2.4.28-ow1. Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related bugs, including the ELF loader vulnerabilities discovered by Paul Starzetz (confirmed: ability for users to read +s-r binaries; potential: local root), a race condition with reads from Unix domain sockets (potential local root), smbfs support vulnerabilities discovered by Stefan Esser (confirmed: remote DoS by a malicious smbfs server; potential: remote root by a malicious server). References:
http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
http://marc.info/?l=bugtraq&m=110091183206580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0949

2004/11/11	Package: shadow-utils

"useradd" and related tools will now optionally allow user and group names longer than 8 characters, even though these may not be fully supported by the rest of Owl and by third-party software. This is controlled with the added USERNAME_MAX and GROUPNAME_MAX settings in /etc/login.defs, both of which are documented in login.defs(5).

2004/11/05	Package: modutils

Updated to 2.4.27.

2004/11/03	Owl/doc/REDHAT

New file: a list of known issues with using packages from or intended for Red Hat Linux on Owl.

2004/09/02 -
2004/11/03	Packages: autoconf, automake, gcc, gettext, glibc,
		libtool, rpm;
		other affected packages;
		Owl/build/*; Owl/doc/{BUILD,INSTALL,CONCEPTS}

Merged in updates to autoconf 2.59, automake 1.8.3, gcc 3.2.2, gettext 0.14.1, glibc 2.3.2 (with Red Hat's patches as of RHL9 but without NPTL, and indeed updating all of our relevant patches), libtool 1.5.2, rpm 4.2 (with support for db1-format packages database re-introduced to allow for upgrades from older versions of Owl). Applied minor fixes to around 50 other packages this broke. Migrated to FHS 2.2 (packages' documentation and man pages now go under /usr/share).

2004/09/10 -
2004/11/02	Packages: openssl, openssh

Updated OpenSSL to 0.9.7d.

2004/09/10 -
2004/09/28	Package: shadow-utils

Updated to 4.0.4.1, modified usermod(8) to update the last password change field when invoked with the "-p" option.

2004/09/26	Package: make

Updated to 3.80.

2004/09/10	Package: db4

New package: the Berkeley DB version 4.

2004/09/10	Package: strace

Updated to 4.5.1.

2004/09/10	Package: quota

Updated to 3.11.

2004/08/16	Package: libnids

Updated to 1.19.

2004/08/04 -
2004/08/15	kernel
SECURITY FIX	Severity: none to high, local, active

Updated to Linux 2.4.26-ow3 and further to 2.4.27-ow1. This corrects the access control check which previously wrongly allowed any local user to change the group ownership of arbitrary NFS-exported/imported files and adds a workaround for the file offset pointer races discovered by Paul Starzetz. The former is only exploitable when files are NFS-exported from a server running a vulnerable version of Linux 2.4.x, and the currently publicly known exploit for the latter relies on code enabled with CONFIG_MTRR kernel build option which has not been enabled in the default kernels on Owl CDs. However, as the potential impact of both issues is a local root compromise, an upgrade of older Linux 2.4.x installs to 2.4.26-ow3+ is highly recommended. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0415
http://www.isec.pl/vulnerabilities/isec-0016-procleaks.txt

2004/07/27	Package: iptables

Updated to 1.2.11.

2004/07/16 -
2004/07/21	Packages: sed, acct, gdbm, man, sh-utils, slang, vim

Updated sed to 4.1.1 and other packages' build scripts to make use of the new sed's ability of in-place editing ("sed -i").

2004/07/10	Package: gdb

Updated to 6.1.1.

2004/06/22	Package: dhcp

Added a bounds checking patch covering sprintf() calls with "%s" format specifier and non-constant strings and forcing the use of snprintf() and vsnprintf() in all places where that was previously supported but not enabled. Thanks to Gregory Duchemin for discovering that some of these actually resulted in a vulnerability in versions of the DHCP suite newer than the one we're using in Owl.

2004/06/19	kernel
SECURITY FIX	Severity: low to high, local, active

Updated to Linux 2.4.26-ow2. This fixes multiple security-related bugs in the Linux kernel (those discovered by Al Viro using "Sparse", fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some others) as well as two non-security bugs in the -ow patch itself. Which of these bugs affect a particular build of the Linux kernel depends on what drivers are compiled in (or loaded as modules). For the default kernels on Owl CDs, it's only the Intel PRO/1000 Gigabit Ethernet driver (e1000) which has a vulnerability allowing for more than a DoS attack fixed with this update. References:
http://marc.info/?l=openwall-announce&m=108763826328168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0535

2004/06/09	Package: shadow-utils
SECURITY FIX	Severity: none to low, local, active

Properly check the return value from pam_chauthtok(3) in chfn(1) and chsh(1). Previously, if chfn and/or chsh commands would be enabled for non-privileged users with control(8), it would have been possible for a logged in user with an expired password to change their "Full Name" and login shell without having to change the password. Thanks to Steve Grubb and Martin Schulze for discovering this problem.

2004/05/18 -
2004/06/09	Package: cvs
SECURITY FIX	Severity: none to high, remote, active

Added back-ports of fixes for multiple CVS server vulnerabilities, some of which are known to be exploitable allowing for a malicious client to execute arbitrary code within the CVS server. Thanks to Stefan Esser, Sebastian Krahmer, and Derek Robert Price for finding and fixing these bugs. Despite these fixes, it should not be assumed that CVS server provides any security against a malicious client. If required, any restrictions on the actions CVS server is allowed to perform should be imposed at the OS level. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0418

2004/06/07	Package: openssh
SECURITY FIX	Severity: high, remote, passive

Fixed directory traversal vulnerability in scp which allowed malicious SSH servers to overwrite arbitrary files on the client system. Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175

2004/06/02	Package: scanlogd

chroot to /var/empty to further reduce the impact of potential bugs in scanlogd and the libraries that it uses.

2004/05/19	Packages: tcp_wrappers, openssh, xinetd

Added a patch to tcp_wrappers to also build a shared version of the libwrap library.

2004/05/14	Packages: ncurses, procps

Updated ncurses to 5.4 with official patches up to 20040508.

2004/05/07	Package: binutils

Updated to 2.15.90.0.3.

2004/04/18	kernel; Package: owl-cdrom
SECURITY FIX	Severity: high, local, active

Updated to Linux 2.4.26-ow1. Linux 2.4.26 (and thus 2.4.26-ow1) fixes an integer overflow vulnerability in processing of the MCAST_MSFILTER socket option discovered by Paul Starzetz. When properly exploited, the bug would lead to a local root compromise. Also included in this kernel release is a fix for the ext3/XFS information leak discovered by Solar Designer and a number of other relatively minor fixes. As it relates to Owl, the kernel image on Owl CDs will now include the Broadcom Tigon3 Gigabit Ethernet driver and the BusLogic SCSI controller driver, but will not include support for IrDA (had to drop it to make room for the extra device drivers). References:
http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0133

2004/04/14	Package: cvs
SECURITY FIX	Severity: high, remote, passive

Added a fix to the CVS client to ensure that pathnames provided by a CVS server point to within the working directory. Without this fix, a malicious CVS server could cause the CVS client to attempt to create files at arbitrary locations thus gaining control over the user account. This problem has been brought to the attention of CVS developers and distribution vendors by Sebastian Krahmer of SuSE. Additionally, CVS server has been further restricted to disallow the use of relative pathnames to view files outside of the CVS repository. However, despite this last fix, it should not be assumed that CVS server provides any security against a malicious client being able to access arbitrary files available under the privileges granted to the CVS server at the OS level. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405

2004/03/18	Package: openssl
SECURITY FIX	Severity: low, remote, passive to active

Updated to 0.9.6m. This release of OpenSSL fixes a NULL pointer dereference during SSL handshake. If triggered, the bug would cause the remote process or thread to crash. Depending on the application this could lead to a denial of service. For the applications which are a part of Owl, it's only individual invocations of network clients which are affected and may be caused to crash by a malicious server. References:
http://www.openssl.org/news/secadv_20040317.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079

2004/02/20 -
2004/02/24	Packages: readline, bash, bc, gdb, lftp

Updated readline to 4.3.

2004/02/18	Package: libnids

Added a patch to support Prism wireless cards, by Snax of AirSnort project (http://airsnort.shmoo.com).

2004/02/15	Package: libpcap

Updated to 0.8.1

2004/02/13	Package: mutt

Updated to 1.4.2.1. This release of Mutt is a security fix, but Owl was not affected with its current glibc because of the lack of UTF-8 locales support.

2004/02/08	Package: SimplePAMApps

In login(1) and su(1), generate ut_id's consistently with libutempter and OpenSSH (patch from Dmitry V. Levin of ALT Linux). This will make "su -" replace existing utmp entries for the duration of the su session.

2004/02/08	Package: chkconfig

Updated to 1.3.9.

2004/01/20 -
2004/01/29	Packages: perl, vim

Updated Perl to 5.8.3.

2004/01/21 -
2004/01/28	Packages: links, elinks

Links has been replaced with ELinks 0.9.0 and further with 0.9.1.

2004/01/18	Package: owl-startup

Added /sbin/service script for Red Hat Linux compatibility. Set net.ipv4.tcp_timestamps = 0 to prevent leaks of the exact system's uptime. There's a detailed comment in /etc/sysctl.conf explaining this option and possible drawbacks of having it set one way or the other.

2004/01/17	Package: procps

In top, handle ticks going backwards gracefully. This may happen due to kernel and hardware issues and previously resulted in top reporting absurd idle processor time percentages under high load on SMP systems.

2004/01/14	Package: screen

Updated to 4.0.2.

2004/01/10	Package: john

Corrected a segfault with --stdin introduced with John 1.6.34.2.

2004/01/05	Package: sysklogd

The startup script will now accept command-line options for syslogd and klogd specified in /etc/sysconfig/syslog.

$Owl: Owl/doc/CHANGES-2.0,v 1.204 2011/08/27 11:56:24 solar Exp $

Powered by Openwall GNU/*/Linux - Powered by OpenVZ