Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
Owl homepage
Other languages
Russian
Concepts
Architectures
Build environment
Installation instructions
Upgrade instructions
Download (HTTP, FTP, rsync, anoncvs)
CVSweb
Purchase CDs
Change logs
Changes in current
Changes in 3.0-stable
Changes up to 3.0
Changes in 2.0-stable
Changes up to 2.0
Changes in 1.1-stable
Changes up to 1.1
Changes up to 1.0
Changes in 0.1-stable
Artwork
Screenshots
Presentation slides
Wiki
OpenVZ virtualization
Packages
Owl VPS hosting
Owl in the news
This file lists the major changes made between the last released version of Owl and Owl-current. While some of the changes listed here may also be made to a stable branch, the complete lists of stable branch changes are included with those branches and as errata for the corresponding Owl releases only.

This is very far from an exhaustive list of changes. Small changes to individual packages won't be mentioned here unless they fix a security or a critical reliability problem. They are, however, mentioned in change logs for the packages themselves.

Security fixes have a "Severity" specified for the issue(s) being fixed. The three comma-separated metrics given after "Severity:" are: risk impact (low, medium, or high), attack vector (local, remote, or indirect), and whether the attack may be carried out at will (active) or not (passive). Please note that the specified risk impact is just that, it is not the overall severity, so other metrics are not factored into it. For example, a "high" impact "local, passive" issue is generally of lower overall severity than a "high" impact "remote, active" one - this is left up to our users to consider given their specific circumstances.

Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be persistent DoS (where the DoS effect does not go away with a (sub)system restart), data loss, bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack).

The metrics specified are generally those for a worst case scenario, however in certain cases ranges such as "none to low" or/and "local to remote" may be specified, referring to the defaults vs. a worst case yet "legitimate" custom configuration. In some complicated cases, multiple issues or attacks may be dealt with at once. When those differ in their severity metrics, we use slashes to denote the possible combinations. For example, "low/none to high, remote/local" means that we've dealt with issue(s) or attack(s) that are "low, remote" and those that are "none to high, local". In those tricky cases, we generally try to clarify the specific issue(s) and their severities in the description.

Changes made between Owl 3.0 and Owl-current.

2014/07/07	Package: glibc

Added OpenBSD 5.5+ $2b$ prefix support to crypt_blowfish (same as $2y$).

2014/07/07	Package: gnupg
SECURITY FIX	Severity: medium, local/indirect, passive

Updated to 1.4.18. Fixed since 1.4.13 are DoS via compressed data (CVE-2013-4402, CVE-2014-4617) and RSA side-channel vulnerabilities (CVE-2013-4242, CVE-2013-4576).

2014/07/07	Package: kernel
SECURITY FIX	Severity: none to high, local, active

Updated to 2.6.18-371.9.1.el5.028stab114.2, which contains security fixes for the floppy disk driver in case a /dev/fd* device is accessible to a non-trusted user (normally not the case on Owl). Added a hardening measure against the ptrace SYSRET vulnerability (CVE-2014-4699), which could allow for DoS or privilege escalation in x86_64 kernel builds running on Intel CPUs, even though RHEL5 kernels are currently understood to be unaffected. References:
http://openvz.org/Download/kernel/rhel5-testing/028stab114.2
https://rhn.redhat.com/errata/RHSA-2014-0740.html
http://www.openwall.com/lists/oss-security/2014/07/08/16
http://www.openwall.com/lists/oss-security/2014/07/08/9

2014/06/09	Package: kernel
SECURITY FIX	Severity: high, local, active

Updated to 2.6.18-371.8.1.el5.028stab113.1, which is based on RHEL 5.10, and contains numerous security fixes compared to the kernel revision we were using before. Disabled this new kernel revision's RDRAND support because it suffers from the security risks discussed after that code had been introduced into mainline kernels (in particular, get_random_bytes() could be less random under VMs). Enabled CPU frequency scaling, which is needed on some modern servers to enable Intel's Turbo Boost (enabling it in BIOS settings only is often not enough). To use it, load a module appropriate for your hardware (e.g., "modprobe acpi-cpufreq") and control the CPU frequency via sysfs (turbo is typically enabled by setting the frequency on all logical CPUs to be nominally 1 KHz higher than the CPU's highest non-turbo base frequency). References:
https://openvz.org/Download/kernel/rhel5-testing/028stab113.1
https://rhn.redhat.com/errata/RHSA-2014-0433.html
https://openvz.org/Download/kernel/rhel5/028stab112.3
https://rhn.redhat.com/errata/RHSA-2014-0285.html
https://rhn.redhat.com/errata/RHSA-2014-0108.html
https://openvz.org/Download/kernel/rhel5/028stab110.1
https://rhn.redhat.com/errata/RHSA-2013-1790.html
https://rhn.redhat.com/errata/RHSA-2013-1348.html
https://openvz.org/Download/kernel/rhel5/028stab108.1
https://rhn.redhat.com/errata/RHSA-2013-1166.html
https://openvz.org/Download/kernel/rhel5/028stab107.2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224
https://openvz.org/Download/kernel/rhel5/028stab107.1
https://rhn.redhat.com/errata/RHSA-2013-0747.html

2014/06/08	Package: openssl
SECURITY FIX	Severity: medium, remote, passive

Updated to 1.0.0m, which includes a fix for CCS Injection vulnerability (CVE-2014-0224) and more. References:
http://www.openwall.com/lists/oss-security/2014/06/05/18
https://www.openssl.org/news/secadv_20140605.txt
http://ccsinjection.lepidum.co.jp

2013/04/20 -
2013/07/08	Package: john

Merged into the tree many changes, most of them sponsored by Rapid7 under their Magnificent7 program, which have ultimately resulted in John the Ripper 1.8.0 release. The code in Owl was then updated some further, up to version 1.8.0.2. Reference:
http://www.openwall.com/lists/announce/2013/05/30/1

2013/06/05	Package: strace

Updated to 4.8.

2013/04/24	Package: passwdqc

Updated to 1.3.0.

2013/04/07	Package: kernel

Updated to 2.6.18-348.3.1.el5.028stab106.2. The only change from our previous kernel revision is OpenVZ's minor bugfix in NFS client code. Reference:
https://openvz.org/Download/kernel/rhel5/028stab106.2

2013/03/19	Package: kernel
SECURITY FIX	Severity: high, local/indirect, active/passive

Updated to 2.6.18-348.3.1.el5.028stab106.1. The corresponding RHEL5 kernel updates fix a number of vulnerabilities, CVE IDs for the relevant ones of which are referenced below. Most importantly, this fixes a PTRACE_SETREGS vs. process death race condition (CVE-2013-0871), which could allow a non-privileged local user to execute arbitrary code in the kernel and thus escalate their privileges to root, escape from an OpenVZ container, etc. (However, the risk probability might have been low due to the race being difficult to win.) References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab106.1
https://rhn.redhat.com/errata/RHSA-2013-0621.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871
http://www.openwall.com/lists/oss-security/2013/02/15/16
https://rhn.redhat.com/errata/RHSA-2013-0594.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3400
http://www.openwall.com/lists/oss-security/2012/07/03/1
https://rhn.redhat.com/errata/RHSA-2013-0168.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1568
http://www.openwall.com/lists/oss-security/2012/03/20/4
https://rhn.redhat.com/errata/RHBA-2013-0006.html
https://rhn.redhat.com/errata/RHSA-2012-1540.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4508
http://www.openwall.com/lists/oss-security/2012/10/25/1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552
http://www.openwall.com/lists/oss-security/2012/08/31/11

2013/02/23	Package: glibc

Backported a fix for a TLS handling bug that manifested itself as an assertion failure on startup of some third-party program binaries, as reproduced with Mozilla's build of Firefox 17.0.1:
http://www.openwall.com/lists/owl-dev/2013/02/23/2

2013/02/22	Package: gnupg
SECURITY FIX	Severity: medium, indirect, passive

Updated to 1.4.13. This version fixes a memory corruption bug (CVE-2012-6085). The bug allowed an attacker to crash gpg(1) and corrupt the public keyring database file. Arbitrary code execution was not possible because the attacker cannot control the corrupted data. The corrupted data is stored in the keyring file, so the DoS effect is persistent, but the keyring can be manually restored by recovering from the pubring.gpg~ backup file (which is created by gpg(1) itself). References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6085
https://bugzilla.redhat.com/show_bug.cgi?id=891142
http://www.openwall.com/lists/oss-security/2013/01/01/6

2013/02/22	Package: kernel
SECURITY FIX	Severity: none to low, local/indirect, active/passive

Updated to 2.6.18-308.20.1.el5.028stab104.3. Enabled CONFIG_EFI_PARTITION=y (GUID Partition Table (GPT) support) and CONFIG_SOUND=m (the sound card driver subsystem) with the same set of drivers as in RHEL5. The corresponding RHEL5 kernel updates fix a divide-by-zero flaw in the ext4 filesystem code (CVE-2012-2100), which could be triggered via a corrupted ext4 filesystem. This is only a security issue if untrusted users are permitted to mount filesystems or/and when mounting filesystems from untrusted sources; other and worse attacks are likely possible in those cases, thereby making this one fix relatively unimportant. Red Hat has also fixed a flaw in the dl2k driver (CVE-2012-2313), which is not included in our kernel builds. References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab104.3
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab104.2
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab104.1
https://rhn.redhat.com/errata/RHSA-2012-1445.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2100
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab103.1
https://rhn.redhat.com/errata/RHSA-2012-1174.html

2012/08/18	Package: openssl
SECURITY FIX	Severity: none to medium, remote, passive to active

Updated to 1.0.0j. This release corrects a buffer over-read flaw in the handling of CBC mode ciphersuites in DTLS. No DTLS-using programs are included in Owl, so it'd take a third-party program to make this flaw actually triggerable on Owl. References:
https://www.openssl.org/news/secadv_20120510.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333

2012/08/18	Package: xinetd
SECURITY FIX	Severity: none to medium, remote, active

Updated to 2.3.15, which corrects an access control bypass vulnerability in the normally disabled tcpmux service. References:
http://www.openwall.com/lists/oss-security/2012/05/09/5
https://bugzilla.redhat.com/show_bug.cgi?id=790940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0862

2012/08/18	Package: kernel
SECURITY FIX	Severity: low, local, active

Updated to 2.6.18-308.11.1.el5.028stab102.1. The corresponding RHEL5 kernel update fixes a flaw in the epoll subsystem, which could be used for a local DoS attack. Other security flaws reported as fixed in the release notes referenced below do not affect Owl's builds of the kernel (they're in Xen and extended taskstats functionality, which we do not include). References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab102.1
https://rhn.redhat.com/errata/RHSA-2012-1061.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3375
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab101.1

2012/08/14	Package: glibc

Corrected the processing of '\x80' characters in extended DES-based crypt(3) hashes. A related issue affecting traditional DES-based crypt(3) hashes is known as CVE-2012-2143 in other projects using the same FreeSec code, but luckily in Owl we've been using this code only for the extended hashes (continuing to use upstream glibc's UFC-crypt for traditional ones), and these were only affected in terms of compatibility (with BSD/OS and certain other implementations), but not security. Hence, this is not a security fix.

2012/08/14	Package: slang

Dropped S-Lang from Owl. We never made use of it in Owl itself.

2012/08/14	Package: binutils

Updated to 2.23.51.0.1.

2012/07/23	Package: tcsh

Updated to 6.18.01.

2012/05/12	Package: binutils

Updated to 2.22.52.0.1.

2012/05/08	Package: syslinux

Updated to 4.05.

2012/05/08	Package: lftp

Updated to 4.3.6. Corrected an assertion failure with torrent peer id generation when the lftp PID is above 65535. Added a patch proposed by upstream to always obtain and report exact file timestamps.

2012/05/06	Package: openssl
SECURITY FIX	Severity: medium/high, remote/indirect, active/passive

Updated to 1.0.0i, which corrects numerous vulnerabilities discovered since 1.0.0d (the version we had in Owl-current before). The attack vectors and worst case impact of these vulnerabilities vary. The ASN1 BIO vulnerability (CVE-2012-2110) discovered by Tavis Ormandy of Google Security Team and patched specifically in the 1.0.0i release in April potentially allows for arbitrary code execution, but is not triggerable via OpenSSL's SSL/TLS code, whereas worst case impact of other vulnerabilities corrected with this update is lower. References:
https://www.openssl.org/news/secadv_20120419.txt
http://lists.openwall.net/full-disclosure/2012/04/19/4
http://www.openwall.com/lists/oss-security/2012/04/22/2
http://www.openwall.com/lists/oss-security/2012/04/22/3
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110
https://www.openssl.org/news/secadv_20120312.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
https://www.openssl.org/news/secadv_20120104.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
https://www.openssl.org/news/secadv_20110906.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207

2012/05/06	Package: kernel
SECURITY FIX	Severity: low to high, local, active

Updated to 2.6.18-308.4.1.el5.028stab100.2, which includes a fix for excessive in-kernel CPU time consumption when creating large nested epoll structures (CVE-2011-1083) as reported by Nelson Elhage. Corrected an Owl-specific mm (memory) leak and a reference count overflow possibility (with non-obvious impact) that was inadvertently introduced in 2.6.18-274.18.1.el5.028stab098.1.owl1 and which could be triggered on i686 (not x86_64) on read attempts from /proc/<pid>/*maps by other than the same program instance that opened these special files. Reverted the dmesg_restrict sysctl tri-state feature in favor of the approach taken by OpenVZ. References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab100.2
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab099.4
http://wiki.openvz.org/Download/kernel/rhel5/028stab099.3
https://rhn.redhat.com/errata/RHSA-2012-0150.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1083
http://www.openwall.com/lists/oss-security/2011/03/02/1
http://www.openwall.com/lists/oss-security/2011/03/02/2
https://bugzilla.openvz.org/show_bug.cgi?id=2197

2012/05/02	Package: strace

Updated to 4.7.

2012/04/22	Package: hdparm

Updated to 9.39, added packaging of the wiper.sh script (SSD trimming).

2012/03/03	Package: gcc

Updated to 4.6.3.

2012/02/25	Package: kernel
SECURITY FIX	Severity: low/low to high, remote/local, active

Updated to 2.6.18-274.18.1.el5.028stab098.1, which fixes an IGMP remote DoS over LAN (CVE-2012-0207), two ext4 filesystem local DoS flaws (CVE-2011-3638, CVE-2011-4086), and a flaw in handling of robust list pointers of user-space held futexes across execve(2) calls (CVE-2012-0028), which could be used for privilege escalation via a SUID/SGID program that is multi-threaded or/and has a memory-mapped device, file, or shared memory segment (Owl does not include such SUID/SGID programs). Introduced the previously missed RLIMIT_NPROC check into fs/compat.c: compat_do_execve() (used by 32-bit program binaries on 64-bit kernel). Introduced protection against unintended self-read by a SUID/SGID program of /proc/<pid>/mem and /proc/<pid>/*maps files, based on approaches taken in recent grsecurity patches. Made the kernel.dmesg_restrict sysctl tri-state and container-aware. Enabled CONFIG_NFSD=m, CONFIG_CIFS=m, CONFIG_NET_SCHED=y, CONFIG_NET_RADIO=y, CONFIG_PCCARD=m and lots of WiFi drivers as modules. References:
http://wiki.openvz.org/Download/kernel/rhel5/028stab098.1
https://rhn.redhat.com/errata/RHSA-2012-0107.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0207
http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3638
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0028
http://www.openwall.com/lists/oss-security/2012/01/04/18
http://www.openwall.com/lists/oss-security/2012/05/08/1
https://bugzilla.redhat.com/show_bug.cgi?id=771764
http://www.openwall.com/lists/oss-security/2012/02/08/2

2012/02/18	Package: glibc

Enabled building of UTF-8 locales by default (adds 6.5 MB to glibc .rpm package size and 36 MB to installed system size on a filesystem with 4 KB blocks, unfortunately).

2012/02/12 -
2012/02/18	Package: gcc; Owl/build/.rpmmacros

Enabled -Wl,-z,relro and -Wl,-z,now by default as a security hardening measure, rebuilt all packages. In most cases the performance impact is non-existent or negligible. To disable these options (for whatever reason), pass -Wl,-z,norelro and -Wl,-z,lazy to gcc, respectively. Note: ld(1) still uses -z norelro and -z lazy by default; only gcc's defaults are changed. (We already had -Wl,-z,relro in Owl/build/.rpmmacros since 2011/11/04; now that change is reverted in favor of gcc's change of default, and we've also added -Wl,-z,now.) References:
http://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html

2012/01/25	Package: kernel
SECURITY FIX	Severity: low to high, local, active

Updated to 2.6.18-274.17.1.el5.028stab097.1. Of the security issues mentioned in the Red Hat advisory referenced below, 5 are relevant to Owl's build of the kernel. Their relevance to and impact on specific Owl installs varies. Specifically, access to some /proc/<pid>/* special files was not revoked on invocation of a SUID/SGID program, which allowed for an ASLR bypass (easier exploitation of certain kinds of other security flaws if present) as well as for an additional and unintended way to interact with the program (e.g. causing it to fail with a file lock held). Since Owl does not have any SUID binaries by default (only having some SGIDs), the impact of this flaw on default installs of Owl was greatly reduced. The remaining 4 flaws fixed with this update are either reliably known or currently understood to be limited to local denial of service (DoS), one of them requires that a specially-crafted corrupted ext3 or ext4 filesystem be mounted, and two are in the NFS client and thus require an NFS mount to be present and accessible to a local attacker. Please refer to the CVE IDs and other references below for more detail. References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab097.1
https://rhn.redhat.com/errata/RHSA-2012-0007.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1020
http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/
http://lists.openwall.net/linux-kernel/2011/02/07/416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3637
http://www.openwall.com/lists/oss-security/2012/02/06/1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4132
http://www.openwall.com/lists/oss-security/2012/02/06/2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4324
http://www.openwall.com/lists/oss-security/2012/02/06/3
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4325
http://www.openwall.com/lists/oss-security/2012/02/06/4

2011/12/27	Package: kernel
SECURITY FIX	Severity: medium, local, passive

Updated to 2.6.18-274.12.1.el5.028stab096.1, enabled build of the VIA Rhine NIC driver (as a module). Although the corresponding RHEL update fixed multiple vulnerabilities, only the taskstats io infoleak (CVE-2011-2494) is relevant to Owl kernel builds. References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab096.1
https://rhn.redhat.com/errata/RHSA-2011-1479.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2494
http://www.openwall.com/lists/oss-security/2011/06/24/6
http://www.openwall.com/lists/oss-security/2011/09/21/1

2011/12/27	Package: hardlink

Fixed a bug in a code path triggered on error.

2011/11/27	Package: kernel
SECURITY FIX	Severity: low to medium, local/remote, active

Updated to -274.7.1.el5.028stab095.1, which contains fixes for multiple local and remote DoS vulnerabilities, including via triggering an ext4 filesystem implementation bug with writes into the last block of a file in certain special circumstances, mremap(2) syscall, receiving of a specially crafted packet when GRO is enabled, receiving of a specially crafted packet on a bridge device, and via clock_gettime(2) syscall. This kernel revision also improves the randomness of IPv4 sequence numbers by moving from a 24-bit random component generated using MD4 plus a timer-based component to the full 32-bit numbers generated using MD5. Owl is not affected by the rest of vulnerabilities reported in the referenced Red Hat advisory as we don't build the corresponding components. Also included with this update is an OpenVZ fix of "loosing socket permissions in /dev with udev+tmpfs during CT restore (live migration)", which may be relevant to certain non-Owl OpenVZ containers being live-migrated on Owl host systems. Finally, we've changed the default for CONFIG_PCNET32 from =m to =y for ease of use under VMware, which emulates NIC of this type by default. References:
http://wiki.openvz.org/Download/kernel/rhel5/028stab095.1
https://rhn.redhat.com/errata/RHSA-2011-1386.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2942
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3188

2011/11/23	Package: john

John the Ripper has been enhanced in numerous ways, most notably gaining OpenMP parallelization for more hash types, resulting in its 1.7.9 release, which is also part of Owl (as usual). The Owl package of John the Ripper now actually has OpenMP parallelization and support for Intel AVX and AMD XOP enabled due to our move to GCC 4.6.x. It also includes transparent fallback to non-OpenMP and/or pre-AVX program binaries when the thread count would be 1 (such as because the system only has one logical CPU) or when running on a CPU not supporting AVX, respectively. Reference:
http://www.openwall.com/lists/john-users/2011/11/23/2

2011/10/29	Packages: syslinux, owl-cdrom; Owl/build/*

Packaged SYSLINUX - a collection of boot loaders - and moved from LILO to ISOLINUX for the ISO-9660 images generated by "make iso".

2011/10/29	Package: gcc

Updated to 4.6.2.

2011/10/26	Package: tzdata

Updated to 2011m.

2011/10/26	Package: owl-startup

Added VLAN support (patch by Piotr Meyer).

2011/10/24	Package: pam
SECURITY FIX	Severity: none to high, local, active

Applied upstream fixes for two vulnerabilities in pam_env. This module is not in use on default installs of Owl, and it never was, hence there was no impact for default installs. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3149

2011/10/24	Packages: gcc, gmp, libmpc, mpfr

Updated GCC to 4.6.1. Packaged GMP, MPC, and MPFR - arbitrary precision arithmetic libraries, which are required by the new GCC version.

2011/10/15	Package: tzdata

Updated to 2011l. Reduced installed package size via use of hardlinks.

2011/10/15	Package: hardlink

New package: a program to consolidate duplicate files via hardlinks.

2011/10/10	Package: rpm
SECURITY FIX	Severity: high, indirect, passive

Applied a fix for crash and potential arbitrary code execution when processing a malformed/malicious package file. Although an RPM package can, by design, execute arbitrary code when installed or even during installation, this issue would potentially allow a specially-crafted RPM package to execute arbitrary code when the package metadata is merely queried, including for digital signature verification. Note that for Owl RPM packages we do not rely on RPM's support for signatures; instead, we sign *.mtree files. Please continue to verify detached GnuPG signatures that we provide for such files with gpg(1), and then verify RPM package files against the message digests found in *.mtree files with mtree(8) (both of these tools are part of Owl). This kind of verification was unaffected by this RPM issue. Please note that use of RPM on untrusted package files, even if just to verify a signature, remains risky despite of this recent fix: RPM package format and processing are complicated, so further issues of this kind are likely. References:
http://www.openwall.com/lists/oss-security/2011/09/27/3
https://rhn.redhat.com/errata/RHSA-2011-1349.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378

2011/10/10	Package: SysVinit

Applied a patch to set the shell name to /bin/bash, not /bin/sh, such that colored ls output is enabled on our LiveCD.

2011/10/09	Packages: kernel, vzctl
SECURITY FIX	Severity: low, local, active

Updated the kernel to 2.6.18-274.3.1.el5.028stab094.3 (OpenVZ's latest stable from their RHEL 5 based branch, now rebased on RHEL 5.7's). Restricted permissions on /proc/slabinfo as a security hardening measure. Moved some OpenVZ features to modules like it is done in OpenVZ's official kernel builds. Changed CONFIG_UDF_FS=y to =m. Changed CONFIG_BLK_DEV_CRYPTOLOOP and most CONFIG_CRYPTO_* from =y to =m. On x86_64, changed CONFIG_PCNET32 and CONFIG_FORCEDETH (these are some of the 100 Mbps NIC drivers) from =y to =m. Of the 100 Mbps NIC drivers, we're leaving only those for Intel, Realtek, and NE2000-compatible PCI NICs built into the kernel on x86_64 now. Set CONFIG_SCSI_AIC94XX=y and CONFIG_BLK_CPQ_CISS_DA=y (the latter was already =y on i686, now it is =y on x86_64 as well). Although we reference two Red Hat security advisories below, none of the worse than local DoS issues listed in those advisories affect our previous kernel builds, either because we do not build the affected components, or in case of CVE-2011-2495 because we already had the permissions on /proc/PID/io restricted before Owl 3.0 release. References:
http://wiki.openvz.org/Download/kernel/rhel5/028stab094.3
https://rhn.redhat.com/errata/RHSA-2011-1212.html
http://wiki.openvz.org/Download/kernel/rhel5/028stab093.2
https://rhn.redhat.com/errata/RHSA-2011-1065.html
http://www.openwall.com/lists/kernel-hardening/2011/09/27/3

2011/10/09	Packages: tzdata, glibc; Owl/build/installorder.conf

Moved timezone data files from glibc to new package tzdata, updated it to version 2011k.

2011/09/07	Owl/build/{install*.sh,installorder.conf}

Support for optional package tags has been added to installorder.conf and made use of in install*.sh scripts. Currently supported are: "D:" - CD only; "d:" - exclude from CD; "E:" - exclude from CD and OpenVZ container templates; "H:" - host only (exclude from OpenVZ container templates).

2011/09/07	Package: owl-etc

Added /etc/owl-release (with "Owl-current post-3.0" in it).

2011/09/07	Package: owl-dev

Create /dev/sd* devices for 16 disks, not just 8 like we did before.

2011/07/27	Package: kernel
SECURITY FIX	Severity: none to high, local, active

Updated to 2.6.18-238.19.1.el5.028stab092.2. Enabled CONFIG_BONDING=m in both i686 and x86_64 kernels, enabled CONFIG_BLK_CPQ_CISS_DA=m in the x86_64 kernel (i686 already had it at "=y"). Applied a patch adding limited support for LSISAS8208ELP (PCI device id 0x0059), which provides access to individual hard drives. Moved the RLIMIT_NPROC check from set_user() to execve(2) and adjusted set_user() so that it can't fail. These changes were desirable to address missing setuid(2) return value check vulnerabilities in user-space programs. References:
http://wiki.openvz.org/Download/kernel/rhel5/028stab092.2
http://wiki.openvz.org/Download/kernel/rhel5/028stab091.1
https://rhn.redhat.com/errata/RHSA-2011-0927.html
https://rhn.redhat.com/errata/RHSA-2011-0833.html
https://bugs.gentoo.org/show_bug.cgi?id=325805
https://bugs.gentoo.org/attachment.cgi?id=236721
http://forums.gentoo.org/viewtopic-t-731366.html
http://www.openwall.com/lists/kernel-hardening/2011/07/12/1

2011/07/25	Package: rpm
SECURITY FIX	Severity: none to high, local, passive

Added a patch to remove unsafe file permissions (chmod'ing files to 0) on package removal or upgrade to prevent continued access to such files via hard-links possibly created by a user. References:
http://www.openwall.com/lists/oss-security/2011/07/25/1
http://www.openwall.com/lists/oss-security/2010/06/02/2
https://bugzilla.redhat.com/show_bug.cgi?id=125517
https://bugzilla.redhat.com/show_bug.cgi?id=598775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4889
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059

2011/06/21 -
2011/07/17	Packages: glibc, pam, shadow-utils, tcb
SECURITY FIX	Severity: high, remote, active

crypt_blowfish has been updated to version 1.1 (and then to 1.2), which fixes the 8-bit character handling bug and adds 8-bit test vectors and a quick self-test on every password hash computation. The impact of this bug was that most (but not all) passwords containing non-ASCII characters with the 8th bit set were hashed incorrectly, resulting in password hashes incompatible with those of OpenBSD's original implementation of bcrypt. What's worse, in some cases (but not in all) one, two, or three characters immediately preceding the 8-bit characters were ignored by the password hash computation. Thus, many passwords containing characters with the 8th bit set were significantly easier to crack than it was previously expected. This primarily applies to offline attacks against the password hashes (if the hashes are leaked or stolen), but in rare extreme cases it might also apply to remote password guessing attacks. In practice, passwords with non-ASCII characters are relatively uncommon and are typically more complicated than average, so they're unlikely to be an attractive target for attacks, despite of the weakness that this bug exposes them to. Yet the risk is there. With this glibc update, existing users' passwords containing characters with the 8th bit set will mostly stop working, because the hashes will be computed correctly and not match the incorrectly computed hashes recorded in the system. In order to allow users to log in after the upgrade even if they have a potentially affected password, the newly introduced backwards compatibility hash encoding prefix of "$2x$" may be used. Such password hashes should only be used during a transition period; when passwords are changed and hashed using the correct algorithm, another newly introduced "$2y$" prefix is used. After installation of this glibc update, login services such as sshd(8) should be restarted ("service sshd restart" and so on) in order for users' newly changed passwords (with the "$2y$" prefix on the hash encodings) to be recognized. References:
http://www.openwall.com/lists/announce/2011/06/21/1
http://www.openwall.com/lists/oss-security/2011/06/24/1
http://www.openwall.com/lists/oss-security/2011/06/29/16
http://www.openwall.com/lists/john-dev/2011/07/06/15
http://www.openwall.com/lists/oss-security/2011/07/07/9
http://www.openwall.com/lists/oss-security/2011/07/08/1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483

2011/06/22	Package: john

In an effort sponsored by Rapid7, the bitslice DES S-box expressions have been replaced with those generated by Roman Rusakov specifically for John the Ripper. The corresponding assembly code for x86 with MMX, SSE2, and for x86-64 with SSE2 has been re-generated. Support for bcrypt hashes of passwords containing characters with the 8th bit set has been corrected. (The old buggy behavior may be enabled per-hash, using the "$2x$" prefix.) The external mode virtual machine's performance has been improved. This update of John the Ripper has also been released separately from Owl as version 1.7.8. References:
http://www.openwall.com/lists/john-users/2011/06/22/1
http://www.rapid7.com

2011/06/09	Package: lilo

Updated to 23.2.

2011/05/03	Package: kernel
SECURITY FIX	Severity: none to low, local, active

Updated to 2.6.18-238.9.1.el5.028stab089.1. This fixes obscure security issues: kernel panic by unprivileged user via NFSv4 (CVE-2011-1090) and NULL pointer dereference in GRO code (CVE-2011-1478). It fixes non-security issues with page tables accounting, AMD Bulldozer boot process, OOM killer, and CPU stats bugs. It also introduces numerous features. References:
http://wiki.openvz.org/Download/kernel/rhel5/028stab089.1
http://wiki.openvz.org/Download/kernel/rhel5/028stab085.5
https://rhn.redhat.com/errata/RHSA-2011-0429.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1478

2011/05/03	Package: rpm

Fixed a regression in %patch introduced in the previous release. Thanks to Chris Bopp for reporting the bug. Reference:
http://www.openwall.com/lists/owl-dev/2011/05/02/1

2011/05/03	Package: iproute2

Updated to 2.6.38.

2011/05/03	Package: iputils

Updated to s20101006.

2011/04/27	Package: john

Made numerous enhancements to John the Ripper, resulting in its 1.7.7 release, which is also part of Owl (as usual). Reference:
http://www.openwall.com/lists/john-users/2011/04/28/1

2011/04/02	Package: kernel

Updated to 2.6.18-238.5.1.el5.028stab085.3, which is now marked as "RHEL5 stable". This fixes a kernel Oops caused by nfsd. Also fixed an Owl-specific x86_64 gettimeofday(2) VDSO issue, which manifested itself in some 64-bit programs inside containers with some Linux distributions (not Owl) crashing with SIGSEGV. The issue was new with -238 kernels (thus, it was not present in Owl 3.0, nor in 3.0-stable). References:
http://wiki.openvz.org/Download/kernel/rhel5/028stab085.3
https://bugzilla.openvz.org/show_bug.cgi?id=1815

2011/03/21	Package: kernel
SECURITY FIX	Severity: none to medium, local, active

Backported fixes for information leaks in Netfilter modules: arp_tables (CVE-2011-1170), ip_tables (CVE-2011-1171), ip6_tables (CVE-2011-1172), and ipt_CLUSTERIP. One must have CAP_NET_ADMIN to exploit these issues (e.g. in-container root may trigger the leak). The default Owl installation is vulnerable to the infoleak in ip_tables only as we don't ship other Netfilter modules nor have IPv6 enabled. References:
http://www.openwall.com/lists/oss-security/2011/03/18/15
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1171
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1172

2011/03/17	Package: nmap

Updated to 5.51.

2011/03/15	Package: strace

Updated to 4.6.

2011/03/14	Package: iptables

Changed the default for IPTABLES_STATUS_ARGS to "-nv". Most importantly, this disables the (risky and slow) reverse DNS lookups with "service iptables status".

2011/03/12	Package: kernel
SECURITY FIX	Severity: low, local/remote, active

Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch (238.5.1.el5.028stab085.2) fixing a rare kernel panic with sysfs virtualization, a potential livelock in dirty pages balancing, and a bug in CFQ. The new RHEL5 kernel revision that this OpenVZ kernel is based on fixes a flaw in the garbage collector for AF_UNIX sockets (CVE-2010-4249, local DoS) and a flaw in handling of received packets exceeding the buffer limit (CVE-2010-4251, remote DoS). (It also includes a fix for CVE-2010-4655, but it was already included in our 2011/01/28 update.) Fixed an Owl-current specific bug in checksum calculation of fragmented ICMP echo request datagrams (reported by Piotr Meyer). Disabled the eepro100 driver in favor of e100. References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab085.2
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab085.1
https://rhn.redhat.com/errata/RHSA-2011-0303.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4249
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4251
http://www.openwall.com/lists/owl-users/2011/03/06/1
http://www.openwall.com/lists/owl-users/2011/03/05/3

2011/03/02	Package: vsftpd
SECURITY FIX	Severity: none to low, remote, active

Updated to 2.3.4. This release corrects a DoS vulnerability discovered by Maksymilian Arciemowicz where an attacker permitted to login to an FTP server would be able to cause the vsftpd child process(es) spawned for their session(s) to consume excessive amounts of CPU time. If the attack is carried out on a sufficient number of FTP sessions (possibly from multiple source IP addresses to exceed a possible per-source limit), the FTP service would become unavailable and other services of the system would be greatly impacted. References:
http://securityreason.com/achievement_securityalert/95
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0762

2011/02/24	Packages: openssl, openssh

Updated OpenSSL to 1.0.0d.

2011/02/18	Package: patchutils

Updated to 0.3.2.

2011/02/10	Package: kernel

Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch (238.1.1.el5.028stab084.3), which includes updated fix for the x86_64 VDSO bug (the fix in 028stab084.1 was incomplete) and fix for optimized kmem accounting bug. Enabled Ethernet bridge support, PPP_MPPE, and ULOG netfilter target. For more info, see the changelog for the kernel package. References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab084.3
https://bugzilla.openvz.org/show_bug.cgi?id=1762

2011/02/09	Package: patch
SECURITY FIX	Severity: high, indirect, passive

Backported a fix for CVE-2010-4651. The patch utility allowed ".." in pathnames, and it also allowed absolute pathnames, either of which could allow an attacker to create or modify arbitrary files outside of the intended directory tree using a specially-crafted patch file. Our partial fix of 2011/02/02 did not address the absolute pathname case. References:
https://bugzilla.redhat.com/show_bug.cgi?id=667529
http://www.openwall.com/lists/oss-security/2011/01/05/10
http://lists.gnu.org/archive/html/bug-patch/2010-12/msg00000.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651

2011/02/05	Packages: usb_modeswitch, usb_modeswitch-data

New packages: usb_modeswitch is a mode switching tool for controlling "flip flop" (multiple device) USB gear. usb_modeswitch-data contains the data files for usb_modeswitch.

2011/02/05	Package: libusb-compat

New package: libusb-compat is a compatibility layer allowing applications written for libusb-0.1 to work with libusb-1.0. It is needed for usb_modeswitch.

2011/02/05	Package: kernel

Updated to upstream's "fixed fix for paging accounting". The incomplete fix introduced with our 2011/02/04 update could have caused trouble with 32-bit x86 kernels. Reference:
https://bugzilla.openvz.org/show_bug.cgi?id=1760

2011/02/05	Package: shadow-utils

Added USERNAME_RELAXED and GROUPNAME_RELAXED options to /etc/login.defs, which, if changed to "yes", will allow capital letters to be used in new usernames and/or group names, respectively.

2011/02/04	Package: kernel

Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch (238.1.1.el5.028stab084.1), which includes updated atl1 driver (Attansic L1 Gigabit Ethernet). Enabled VDSO on x86_64 (the actual bug was believed to be fixed in 028stab084.1). Applied upstream's initial "fix for non-4levels page tables acct" (the bug was introduced in 084.1, so we did not have it before). References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab084.1
https://bugzilla.openvz.org/show_bug.cgi?id=1760

2011/02/02	Package: patch

Backported a partial fix for CVE-2010-4651. Since the fix turned out to be incomplete, this change is not actually fixing CVE-2010-4651 yet.

2011/01/31 -
2011/02/01	Packages: kernel, iputils, owl-etc, owl-startup

Added support for non-raw ICMP sockets to the kernel and made use of said support in ping(1). References:
http://lwn.net/Articles/420799/
http://openwall.info/wiki/people/segoon/ping

2011/01/30	Package: vconfig

New package: vconfig is a user mode program to add and remove 802.1q VLAN virtual devices from Ethernet devices.

2011/01/29	Package: kernel

Dealt with two known critical x86_64 specific bugs introduced in 2.6.18-238.1.1.el5.028stab083.1, applying a fix for one of them (bootup on systems with more than 8 logical CPUs) and working around the other (VDSO, which is now temporarily disabled on x86_64, to be re-enabled with the next kernel update). Reference:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab083.1

2011/01/29	Package: nmap

Updated to 5.50.

2011/01/28	Package: usbutils

New package: usbutils contains the lsusb utility for inspecting the devices connected to the USB bus.

2011/01/28	Package: libusb1

New package: libusb is a library providing access to USB devices.

2011/01/28	Package: kernel
SECURITY FIX	Severity: none to medium, local, active

Updated to OpenVZ's 2.6.18-238.1.1.el5.028stab083.1. Fixed a potential information leak in net/core/ethtool.c: ethtool_get_regs() - this was the portion of CVE-2010-4655 relevant to RHEL5 kernels. According to our analysis, this issue did not affect installs with default OpenVZ container settings, but it could affect systems where a network device was passed into an OpenVZ container by an administrator. Made numerous kernel configuration changes (enabled extra drivers, moved some to modules), documented the changes (and the rationale behind them) in the change log for the kernel package. (The important and relevant ones of the security fixes described in the Red Hat security advisories referenced below were already included in our previous kernel revision (in Owl 3.0) with our own backports from a "testing" Red Hat kernel.) References:
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab083.1
https://rhn.redhat.com/errata/RHSA-2011-0163.html
http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab082.1
https://rhn.redhat.com/errata/RHSA-2011-0004.html
http://www.openwall.com/lists/oss-security/2011/01/28/1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4655

2011/01/27	Package: bridge-utils

New package: bridge-utils is a tool for configuring the Linux Ethernet bridge.

2011/01/27	Package: pv

New package: PV ("Pipe Viewer") is a tool for monitoring the progress of data through a pipeline.

2011/01/27	Package: ethtool

New package: ethtool is an utility for controlling network drivers and hardware, particularly for wired Ethernet devices.

2011/01/25	Package: e2fsprogs

Updated to 1.41.14.

2011/01/24	Package: owl-startup

Added "-s 131072" to the dmesg invocation in rc.sysinit. Without this change, /var/run/dmesg.boot was often incomplete.

2011/01/24	Package: lilo

Updated to 23.1.

2011/01/24	Package: vim

Moved a few syntax highlighting related files from the vim-syntax to the vim-enhanced subpackage to correct a packaging error where some files in vim-enhanced were dependent upon files from vim-syntax, which is not installed by default.

$Owl: Owl/doc/CHANGES-current,v 1.126 2014/07/09 09:29:54 solar Exp $

Powered by Openwall GNU/*/Linux - Powered by OpenVZ