| Openwall Project | /home Owl JtR Pro crypt pam_passwdqc tcb phpass scanlogd popa3d msulogin / Linux BIND / advisories presentations / services donations / wordlists passwords / news community lists wiki CVSweb mirrors signatures | |
| bringing security into open environments | ||
|
|
Owl homepage
Other languages:
Concepts
Purchase CDs
Change logs: |
This file lists the major changes made between the last released
version of Owl and Owl-current. While some of the changes listed here
may also be made to a stable branch, the complete lists of stable
branch changes are included with those branches and as errata for the
corresponding Owl releases only.
This is very far from an exhaustive list of changes. Small changes to individual packages won't be mentioned here unless they fix a security or a critical reliability problem. They are, however, mentioned in change logs for the packages themselves. Security fixes have a "Severity" specified for the issue(s) being fixed. The three comma-separated metrics given after "Severity:" are: risk impact (low, medium, or high), attack vector (local, remote, or indirect), and whether the attack may be carried out at will (active) or not (passive). Please note that the specified risk impact is just that, it is not the overall severity, so other metrics are not factored into it. For example, a "high" impact "local, passive" issue is generally of lower overall severity than a "high" impact "remote, active" one - this is left up to our users to consider given their specific circumstances. Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack). The metrics specified are generally those for a worst case scenario, however in certain cases ranges such as "none to low" or/and "local to remote" may be specified, referring to the defaults vs. a worst case yet "legitimate" custom configuration. In some complicated cases, multiple issues or attacks may be dealt with at once. When those differ in their severity metrics, we use slashes to denote the possible combinations. For example, "low/none to high, remote/local" means that we've dealt with issue(s) or attack(s) that are "low, remote" and those that are "none to high, local". In those tricky cases, we generally try to clarify the specific issue(s) and their severities in the description.
Changes made between Owl 2.0 and Owl-current.
2009/11/18 Package: diffstat Updated to 1.51.
2009/11/18 Package: vsftpd Updated to 2.2.2.
2009/11/17 kernel SECURITY FIX Severity: none to high, local, active
Updated to Linux 2.4.37.7-ow1. The 2.4.37.7 kernel fixes a number of
security-related bugs.
Reference:
2009/10/25 kernel SECURITY FIX Severity: none to medium, local, active
Updated to Linux 2.4.37.6-ow1. The 2.4.37.6 kernel fixes a number of
information leak vulnerabilities. One of these was already fixed in
2.4.37.5-ow1, and the remaining ones may or may not affect specific
systems depending on both kernel and userspace configuration.
Reference:
2009/10/24 Package: xinetd Updated to 2.3.14.
2009/10/24 Package: vsftpd Updated to 2.2.1.
2009/10/21 Package: vim Updated to 7.2 patchlevel 267.
2009/10/21 Package: strace Updated to 4.5.19.
2009/10/13 Package: e2fsprogs Updated to 1.41.9.
2009/10/13 Package: cpio Updated to 2.10.90.
2009/09/28 - 2009/10/10 Packages: pam, pam_passwdqc, passwdqc; Owl/build/installorder.conf The pam_passwdqc package has been replaced with passwdqc, a new package, which includes pam_passwdqc(8) (the PAM module), libpasswdqc (a password/passphrase strength checking library), pwqcheck(1) (a standalone password/passphrase strength checking program), and pwqgen(1) (a standalone random passphrase generator program).
2009/09/23 Package: iptables Updated to 1.4.5.
2009/09/22 Package: vsftpd Updated to 2.2.0.
2009/09/09 Package: gnupg Updated to 1.4.10.
2009/09/01 -
2009/09/09 Packages: rpm, *;
Owl/build/{buildworld.conf,buildworld.sh}
Many RPM spec files have been adjusted and a new tri-state setting has been introduced into buildworld.conf to control whether the testsuites are to be run. The default is to run most tests, other possible settings are to run all of the tests (including extremely slow ones) or to disable all tests.
2009/09/07 Package: elinks Updated to 0.11.7.
2009/08/31 Package: postfix Updated to 2.4.13.
2009/08/30 Package: ed Updated to 1.4.
2009/08/30 Package: bison Updated to 2.4.1.
2009/08/28 Package: pam Updated to 1.1.0.
2009/08/25 Package: m4 Updated to 1.4.13.
2009/08/23 kernel SECURITY FIX Severity: none to high/medium, local, active
Updated to Linux 2.4.37.5-ow1. The 2.4.37.5 kernel adds a fix for the
"Linux NULL pointer dereference due to incorrect proto_ops
initializations", which on Owl was not exploitable into privilege
escalation on its own due to the vm.mmap_min_addr feature, as long as
the latter was enabled and working (there have been no known issues with
it in recent kernels). In our patched kernels, vm.mmap_min_addr is
enabled by default. Additionally, our default kernels did not include
support for any socket types via which the bug is known to be
triggerable. More importantly, Linux 2.4.37.5-ow1 adds a fix for the
sigaltstack local information leak affecting 64-bit kernel builds.
References:
2009/08/22 Package: rpm Introduced the configure-presets script, which pre-defines a bunch of autoconf variables in order to achieve more deterministic and slightly quicker builds. Most importantly, this makes the configure scripts of many other packages assume the presence of certain security-relevant interfaces (fail-close behavior) rather than auto-detect those and possibly fallback to other interfaces (fail-open behavior). The configure-presets script is automatically "sourced" before the %build section commands are invoked (including when our rpmbuild(8) is used to build third-party packages), and it may also be explicitly "sourced" for manual builds of autoconf'ed software by Owl users.
2009/08/17 Package: tar
Updated to 1.22.90, which replaces most of our error handling fixes
originally implemented in the Owl package of tar in Nov-Dec 2008 with
more elaborate changes by Sergey Poznyakoff. Dropped the
--ignore-device-id option in favor of its official name of
--no-check-device.
References:
2009/08/16 Package: findutils Updated to 4.4.2. With this update, we're switching to the find(1) implementation based around fts(3) instead of GNU find's "own" directory traversal code.
2009/08/15 Package: mktemp Updated to 1.6 with minor post-1.6 upstream changes.
2009/08/14 Package: groff SECURITY FIX Severity: none to high, local/indirect, passive
Corrected pdfroff(1) to create temporary files in a safe manner and to
invoke gs(1) (Ghostscript) with the -dSAFER option to make it treat the
input file as untrusted. pdfroff had been introduced into Owl with the
groff update on 2009/08/06. Before getting corrected, the temporary
files issue was mitigated by pdfroff's use of the TMPDIR environment
variable, which our pam_mktemp module sets to point to the user's
private directory. Additionally, for pdfroff to work and for the lack
of the -dSAFER option to come into play, one would need to install
Ghostscript first, which was not a part of Owl. Besides fixing pdfroff,
we have identified and patched numerous relatively minor temporary file
handling issues in other components of the new version of groff. Thanks
to brian m. carlson for identifying and reporting the two pdfroff issues
to Debian.
References:
2009/08/06 Package: logrotate Updated to 3.7.8.
2009/08/06 Package: groff Updated to 1.20.1.
2009/08/03 kernel
Updated to Linux 2.4.37.4-ow1. The 2.4.37.4 kernel integrates a
replacement for the "personality" hardening measure introduced in
2.4.37.3-ow1.
Reference:
2009/07/29 Package: chkconfig Updated to 1.3.42.
2009/07/28 Package: bind SECURITY FIX Severity: low, remote, active
Backported upstream fix for a remote DoS bug: by sending a specially
crafted dynamic update packet to a BIND server, a remote unauthenticated
attacker could cause the server to crash. According to the ISC and to
our own testing, this vulnerability affects servers that are masters for
one or more zones - it is not limited to those that are configured to
allow dynamic updates. Our default BIND configuration includes several
master zones, such as 127.in-addr.arpa, which are usable for the attack.
BIND's own access controls (such as the "allow-query" directive) are
ineffective against the attack.
References:
2009/07/20 kernel SECURITY FIX Severity: none to high, local to remote, active
Updated to Linux 2.4.37.3-ow1. The 2.4.37.3 kernel release adds the
"-fno-delete-null-pointer-checks" option to gcc invocations, which is
important to reduce the impact of a class of kernel bugs (which are yet
to be found and fixed individually, but are known to exist in general),
adds several security-relevant fixes to the RTL-8169 NIC driver, and
makes other assorted changes. The Linux 2.4.37.3-ow1 kernel patch
introduces an additional security hardening measure where the kernel
will no longer allow the "personality" feature (which is needed to
support some program binaries from other operating systems) to be abused
to bypass the vm.mmap_min_addr restriction via SUID-root programs with a
certain class of design errors in them. Similar changes were introduced
into 2.6.x kernels recently.
References:
2009/07/18 - 2009/07/19 Package: vsftpd
Updated to 2.2.0pre4, which officially reverts the default for "listen"
back to NO (the way we had it in Owl all the time) and implements the
"-o" option (the syntax and semantics are subtly different from what we
had in our own implementation).
Reference:
2009/07/16 - 2009/07/19 Package: nmap
Updated to 5.00 with our usual enhancements for privilege reduction and
with some post-release fixes. Enabled build of Ncat (an even more
powerful remake of the well-known netcat tool, which we previously had
represented in Owl with OpenBSD's remake) and build of Nmap with NSE
(Nmap Scripting Engine) support enabled. Ncat gets into its own binary
subpackage called "ncat" and installable independently of "nmap".
Reference:
2009/07/15 Package: dhcp SECURITY FIX Severity: none to low, remote, active
Updated to 3.0.7. Fixed the DHCP server premature termination bug when
receiving certain well-formed DHCP requests, provided that the server
configuration mixes host definitions using "dhcp-client-identifier" and
"hardware ethernet". It has not been fully researched whether the bug
had any impact on versions 3.0.x of the DHCP server, and there is a
specific reason why it might not have had any impact, yet we're fixing
the underlying bug. Discovery and patch by Christoph Biedl.
References:
2009/07/11 Package: postfix Updated to 2.4.11.
2009/07/08 Package: chkconfig Updated to 1.3.38.
2009/07/07 kernel SECURITY FIX Severity: none to high, remote, active
Updated to Linux 2.4.37.2-ow1. The 2.4.37.2 kernel release adds several
bug fixes, including security-relevant ones.
Reference:
2009/07/07 Package: openssh SECURITY FIX Severity: none to high, remote, active
Backported upstream fix for a syslog call inside a signal handler. The
security impact this issue might have had was not fully evaluated. On
Debian systems, the reported impact was processes getting stuck on locks
inside glibc. On Owl, no problems were ever reported, yet the call was
unsafe, with the worst-case impact being arbitrary code execution
(depending on processing inside glibc).
References:
2009/07/05 Package: man-pages Updated to 3.21.
2009/06/17 Package: dmidecode; Owl/build/installorder.conf New package: dmidecode reports information about x86 & x86-64 hardware as described in the system BIOS according to the SMBIOS/DMI standard.
2009/06/10 Package: pciutils; Owl/build/installorder.conf New package: pciutils contains utilities for inspecting and setting up devices connected to the PCI bus.
2009/05/27 - 2009/05/29 Package: vsftpd Updated to 2.1.1, keeping the default at listen=NO (overriding upstream's change of default). Added the new option "-o", which can be used to specify configuration settings via the command line.
2009/05/27 Package: pcre Updated to 7.9.
2009/05/25 Package: patchutils Updated to 0.3.1.
2009/05/24 kernel; Package: owl-cdrom SECURITY FIX Severity: none to high, local, active Updated to Linux 2.4.37.1-ow1. In the default kernels for x86 and x86-64, enabled SCSI generic support (as needed for CD/DVD recording), UDF filesystem support (read-only), and more SATA and NIC drivers. Linux 2.4.37.1, compared to 2.4.35-ow2, adds numerous security-relevant fixes to various kernel subsystems.
2009/05/24 Package: diffstat Updated to 1.47.
2009/05/06 - 2009/05/22 Packages: cdrkit, mkisofs, owl-dev; Owl/build/installorder.conf New package: cdrkit is a suite of programs for recording CDs and DVDs, blanking CD-RW media, creating ISO-9660 filesystem images, extracting audio CD data, and more. This obsoletes our mkisofs source package, which was directly based on cdrtools (of which cdrkit is a fork).
2009/05/21 Package: nmap Updated to 4.76.
2009/05/15 Package: libnids Updated to 1.23.
2009/05/09 Package: hdparm Updated to 9.15.
2009/05/02 Package: e2fsprogs Updated to 1.41.5.
2009/04/08 Package: tcb In the new version 1.0.3 of the tcb package, child processes spawned by pam_tcb will now always use _exit(2) rather than exit(3) to avoid triggering side effects. When changing passwords, pam_tcb will now fsync(2) the temporary file prior to renaming it over the actual shadow file, as needed on filesystems with not entirely atomic rename(2) (XFS). Thanks to Pascal Terjan of Mandriva and to Ermanno Scaglione for reporting these two issues, respectively.
2009/03/06 Package: bind
Dropped the root-delegation-only directive from the default named
configuration because the list of TLDs that are not delegation-only was
incomplete and wouldn't be maintained/updated on all installs, causing
some DNS lookups of valid records to fail.
Reference:
2009/02/06 Package: bind Dropped DNSSEC support, which is not useful on the Internet at large yet. Those who wish to experiment with DNSSEC at their own risk may set BUILD_OPENSSL to 1 and rebuild the package.
2009/01/08 Packages: openssl, bind SECURITY FIX Severity: medium, remote, passive
Backported upstream fixes for multiple OpenSSL signature verification
API misuses.
References:
2008/11/02 Package: tar Updated to 1.20.
2008/08/14 Package: postfix
Updated to 2.4.8, disabled the Solaris symlink hack that allowed local
mail deliveries through "root-owned" symlinks. Although this is a
security update for some other systems, on Owl the problem was avoided
or mitigated in several ways:
2008/08/10 Package: bind Updated to 9.3.5-P2, added an OpenBSD-derived patch to implement support for more than 1024 simultaneous recursive queries.
2006/09/13 - 2008/07/10 Package: john Many updates to John the Ripper have been made, bringing it to version 1.7.3. Most notably, two Blowfish-based crypt(3) hashes may now be computed in parallel for much better performance on x86-64 CPUs. Also, "DumbForce" and "KnownForce" external mode samples have been added to the default john.conf.
2008/07/08 Package: bind SECURITY FIX Severity: medium, remote, active
Updated to 9.3.5-P1, which additionally randomizes UDP query ports to
improve resilience to DNS cache poisoning attacks.
References:
2008/06/29 Package: vsftpd Updated to 2.0.6.
2008/05/27 Package: openssh
Implemented support for RSA/DSA key blacklisting in sshd based on
partial fingerprints, added a subpackage with blacklisted 48-bit partial
fingerprints for 1024-bit and 2048-bit RSA and 1024-bit DSA keys as
generated on vulnerable Debian, Ubuntu, and derived systems for PID
range 1 to 32767. Due to the encoding scheme used, the blacklist file
size is just 1.3 MB, which corresponds to less than 4.5 bytes per
fingerprint. This effort was supported by CivicActions. References:
2008/05/18 Package: nmap Updated to 4.62.
2008/05/10 Package: cvs Updated to 1.11.23.
2008/04/17 - 2008/04/22 Package: lilo Updated to 22.8.
2008/03/26 Package: gnupg Updated to 1.4.9.
2008/03/20 Package: findutils Updated to 4.2.33.
2008/03/20 Package: bzip2
Updated to 1.0.5. This release fixes a potential buffer over-read bug,
which allowed user-assisted remote attackers to cause a crash in libbz2
via a crafted file.
Reference:
2008/02/13 Package: pcre Updated to 7.6.
2008/02/12 Packages: pam_passwdqc, pam Applied numerous minor changes to pam_passwdqc and its default settings, including replacing its set of separator characters (used for randomly generated "passphrases") with some of those defined by RFC 3986 as being safe within "userinfo" part of URLs without encoding, reducing the default minimum length for passphrases from 12 to 11, and corrections to the documentation.
2008/01/15 Package: tar Added a new option: --ignore-device-id, to be used when creating incremental dumps off filesystems with volatile device numbers, such as OpenVZ simfs.
2008/01/04 Package: hdparm Updated to 7.7.
2008/01/01 Package: gnupg Updated to 1.4.8.
2008/01/01 Package: e2fsprogs Updated to 1.40.4.
2007/12/16 Package: postfix Updated to 2.4.6.
2007/12/06 Package: e2fsprogs
Applied upstream patch to fix integer overflows in libext2fs.
This addresses a potential vulnerability where an untrusted filesystem
can be corrupted on purpose in such a way that a program using libext2fs
will allocate a buffer that is far too small. This can lead to either a
crash or potentially a heap-based buffer overflow.
Thanks to Rafal Wojtczuk of McAfee Avert Labs for reporting this issue.
Reference:
2007/12/05 Package: gettext Updated to 0.14.6.
2007/11/19 Package: findutils Updated to 4.2.31.
2007/11/18 Package: ltrace Updated to 0.5.
2007/11/18 Package: elfutils-libelf Updated to 0.131.
2007/11/15 Package: e2fsprogs Updated to 1.40.2.
2007/10/24 - 2007/11/05 Package: sysklogd Implemented logging of the sending user ID (when non-zero) and of the sending process ID (when different from the reported one) for syslog messages arriving via Unix domain sockets. This should allow for detection of spoofed messages.
2007/10/17 Package: diffstat Updated to 1.45.
2007/10/16 Package: dhcp Updated to 3.0.6.
2007/10/13 Package: openssl
Backported upstream fix for off-by-one bug in the SSL_get_shared_ciphers
function. It is unclear whether the bug had any security impact.
References:
2007/10/08 Package: cvs Updated to 1.11.22.
2007/10/07 Package: bzip2 Updated to 1.0.4.
2007/10/07 Package: nmap Updated to 4.20.
2007/10/07 Packages: mdadm, raidtools; Owl/build/installorder.conf Replaced raidtools with mdadm.
2007/09/24 Package: pcre Updated to 7.4.
2007/08/30 Package: vim SECURITY FIX Severity: none to high, indirect, passive
Backported upstream fix to restrict dangerous functions in modelines.
Note that vim's modelines have always been disabled on Owl by default
(with a setting in /usr/share/vim/vimrc) and even this fix is no guarantee
modelines will be safe to use or the restricted mode safe to rely upon
in the future.
Backported upstream fix for format string vulnerability in the
helptags_one function, which allowed user-assisted remote attackers to
execute arbitrary code via format string specifiers in a help-tags tag
in a help file.
References:
2007/08/18 kernel
Updated to Linux 2.4.35-ow2. The single known security-relevant change
added with Linux 2.4.35 is correction of the randomness pool update bug
discovered by the PaX Team. The -ow2 revision adds a fix for the parent
process death signal bug in the Linux kernel discovered by Wojciech
Purczynski of COSEINC PTE Ltd. and iSEC Security Research; this bug has
no security impact on Owl with no added SUID programs. Also added are
two security hardening features, both enabled by default: restricted
access to VM86 mode (specific to 32-bit x86) and restricted zero page
mappings (generic).
References:
2007/08/18 Package: cpio Updated to 2.9.
2007/08/17 Package: tar Updated to 1.18.
2007/07/30 Package: bind SECURITY FIX Severity: medium, remote, passive
Updated to 9.3.4-P1, which fixes a weakness in DNS query ids generator
when answering resolver questions or sending NOTIFY messages to slave
name servers. The weakness used to make it easier for remote attackers
to guess the next query id and perform DNS cache poisoning.
References:
2007/06/01 Package: owl-cdrom In the default kernel for x86, enabled more IDE chipset drivers, common RAID and SATA controller drivers, USB and HID support (keyboard, mouse, storage devices), and more. This enables our CDs to boot off SATA and USB CD-ROM drives, in addition to IDE and SCSI ones that were supported previously.
2007/05/31 Package: mutt
Updated to 1.4.2.3. This release fixes msgid validation in APOP
authentication and potential buffer overflow in passwd GECOS field parser.
References:
2007/03/25 - 2007/05/22 Package: file SECURITY FIX Severity: high, indirect, passive
Fixed potential heap buffer overflow in the file_printf function of the
libmagic library.
Reference:
2007/03/29 Package: lftp Updated to 3.5.10.
2007/03/27 Package: elinks Updated to 0.11.2.
2007/03/26 Package: lftp Updated to 3.5.9.
2007/03/06 Package: gnupg SECURITY FIX Severity: medium, indirect, passive
Updated to 1.4.7. This includes a fix for an unsigned data injection
vulnerability:
An attacker is able to add arbitrary content to a signed message, and
the receiver of the message may not be able to distinguish the forged
and the properly signed parts of the message.
References:
2007/02/25 Package: openssl Updated to 0.9.7m.
2007/01/29 Package: bind SECURITY FIX Severity: low, remote, active
Updated to 9.3.4, which fixes two security issues.
The first issue is a "use after free" vulnerability which allowed remote
DoS attack via unspecified vectors that cause BIND to "dereference (read)
a freed fetch context".
The second issue allowed remote DoS attack via a type ANY DNS query
response that contains multiple RR sets in the answer section, which
triggers an assertion error if DNSSEC validation is enabled.
References:
2007/01/18 Package: strace Updated to 4.5.15.
2007/01/13 Package: pcre Updated to 7.0.
2007/01/03 - 2007/01/09 Package: owl-setup Configuration of console font and locales has been implemented under a new sub-menu. Keyboard layout configuration has been moved to the same menu. The ncurses/CDK-based user interface now uses cfdisk rather than the traditional fdisk by default.
2006/12/30 - 2007/01/09 Owl/build/* New make targets have been added for creating ISO-9660 images of Owl bootable CDs. The added targets are buildkernel, installisotree, iso, and iso.gz.
2007/01/05 Package: mkisofs; Owl/build/installorder.conf New package: create ISO-9660 filesystem images.
2006/12/27 kernel Updated to Linux 2.4.34-ow1.
2006/12/06 Package: gnupg SECURITY FIX Severity: high, indirect, passive
Updated to 1.4.6. This includes a fix for a remotely controllable
function pointer vulnerability: using malformed OpenPGP packets an
attacker was able to modify and dereference a function pointer in gpg.
Reference:
2006/11/28 Package: gnupg SECURITY FIX Severity: high, indirect, passive
Applied upstream fix for heap buffer overflow bug in gpg when running
gpg interactively.
References:
2006/11/28 Package: tar SECURITY FIX Severity: high, indirect, passive
Disabled GNUTYPE_NAMES handling by default to avoid directory traversal
in GNU tar (where a malicious archive containing GNUTYPE_NAMES record
with a symbolic link could specify files to be extracted to outside of
the intended directory tree).
References:
2006/11/19 Package: rpm
Backported upstream fix for potential heap buffer overflow in
showQueryPackage function. Although this particular bug is fixed,
it remains unsafe to invoke "rpm" queries on untrusted package files.
References:
2006/11/09 Package: openssh
Backported upstream fix for a bug in the sshd privilege separation
monitor that weakened its verification of successful authentication.
References:
2006/11/07 Package: texinfo SECURITY FIX Severity: high, indirect, passive
Applied upstream patch that fixes potential heap buffer overflow in
texindex utility.
Reference:
2006/10/29 Package: screen SECURITY FIX Severity: low, remote, passive
Applied upstream patch that fixes two bugs in UTF-8 combining characters
handling. The bugs could be used to crash/hang screen by writing a
special string to a window.
References:
2006/10/03 Package: openssh SECURITY FIX Severity: low/none to high, remote/local, active
Backported upstream fixes for sshd connection consumption vulnerability
(severity: low, remote, active), scp local arbitrary command execution
vulnerability (severity: none to high, local, active), CRC compensation
attack detector DoS (severity: low, remote, active), client NULL
dereference on protocol error (severity: low, remote, passive).
References:
2006/09/29 Package: openssl SECURITY FIX Severity: none to low/high, remote, active/passive
Updated to 0.9.7l, which includes fixes for four security issues.
References:
2006/09/27 Package: dhcp Updated to 3.0.4.
2006/09/19 Package: gzip SECURITY FIX Severity: high, indirect, passive
Fixed multiple vulnerabilities (stack buffer overflow, heap buffer
underflow, heap buffer overflow, infinite loop) discovered by Tavis
Ormandy of Google Security Team.
References:
2006/09/19 Package: bison Updated to 2.3.
2006/09/07 Package: gpm Updated to 1.20.1.
2006/09/06 Package: openssl SECURITY FIX Severity: none to medium, remote, passive to active
Applied upstream patch to avoid RSA signature forgery.
References:
2006/09/06 Package: bind SECURITY FIX Severity: none to low, remote, active
Updated to 9.3.2-P1, which fixes a couple of bugs that allowed for DoS
attacks on certain BIND configurations.
References:
2006/08/17 kernel Updated to Linux 2.4.33-ow1.
2006/08/04 Package: postfix Updated to 2.2.11.
2006/08/04 Package: gnupg SECURITY FIX Severity: high, remote, passive
Updated to 1.4.5. This includes fixes for two more possible memory
allocation bugs, similar to the problem fixed in 1.4.3-owl1.
References:
2006/06/28 Package: gnupg Updated to 1.4.4.
2006/06/27 Package: mutt SECURITY FIX Severity: high, remote, passive
Applied an upstream fix for potential stack-based buffer overflow when
processing an overly long namespace from IMAP server.
Reference:
2006/06/25 Package: nmap Updated to 4.11.
2006/06/25 Package: coreutils Updated to 5.97.
2006/06/22 Package: gnupg SECURITY FIX Severity: high, remote, passive
Updated to 1.4.3. Applied a fix for integer overflow vulnerability in
packet processing that could allow a remote attacker to cause gpg to crash
and possibly overwrite memory via a message packet with a large length.
Reference:
2006/06/12 Package: hdparm Updated to 6.6.
2006/06/12 Package: smartmontools; Owl/build/installorder.conf New package: control and monitor storage systems using S.M.A.R.T.
2006/06/06 Package: patchutils Updated to 0.2.31.
2006/06/06 Package: automake Updated to 1.9.6.
2006/06/06 Package: which Updated to 2.16.
2006/06/06 Package: e2fsprogs Updated to 1.39.
2006/06/06 Package: pam Updated to 0.99.4.0+.
2006/06/06 Package: make Updated to 3.81.
2006/06/06 Package: libtool Updated to 1.5.22.
2006/06/06 Package: bison Updated to 2.1.
2006/06/06 Package: bind Updated to 9.3.2.
2006/06/06 Package: vsftpd Updated to 2.0.4.
2006/06/06 Package: chkconfig Updated to 1.3.29.
2006/06/06 Package: bash Updated to 3.1 patchlevel 17.
2006/05/27 Package: coreutils Updated to 5.96.
2006/05/21 Package: coreutils Updated to 5.95.
2006/05/21 Packages: bc, gnupg, gdb, lftp, readline; Owl/build/installorder.conf Updated readline to 5.1 patchlevel 4.
2006/05/19 Package: acct Updated to 6.4-pre1.
2006/05/08 - 2006/05/15 Package: john Bitslice DES code for x86 with SSE2 and x86-64 with 64-bit mode extended SSE2 has been added for better performance at DES-based crypt(3) hashes on Pentium 4 and SSE2-capable AMD processors. Assorted high-level changes have been applied to improve performance on current x86-64 processors.
2006/05/07 Package: perl Updated to 5.8.8.
2006/05/01 Package: vixie-cron Updated to OpenBSD CVS snapshot dated 2006/04/26. Changed crontab(1) to use $TMPDIR for creating the temporary file.
2006/05/01 Package: lftp Updated to 3.4.6.
2006/04/26 Package: nmap Updated to 4.03.
2006/03/25 - 2006/04/20 Package: owl-setup Many fixes and enhancements which had been postponed for after Owl 2.0 release have now been implemented. This includes directly talking to PAM when setting the initial root password, quick searches in scroll lists with the ncurses/CDK-based interface, progress indicators with both user interfaces (currently, this is used for installation of kernel headers), and manual pages for both "settle" and "setup".
2006/04/19 Package: lftp Updated to 3.4.4.
2006/04/19 Package: setarch Updated to 2.0.
2006/04/04 -
2006/04/07 Packages: *;
Owl/build/{.rpmmacros,.rpmrc,buildworld.conf,buildworld.sh}
Ported Owl to the x86-64 architecture.
2006/04/06 Packages: db4, pam, perl, postfix; Owl/build/installworld.sh Updated db4 to 4.3.29.
2006/04/06 Package: postfix Updated to 2.2.10.
2006/04/06 Package: gettext Updated to 0.14.5.
2006/04/04 Package: bash Updated to 3.1 patchlevel 16.
2006/03/23 Package: netlist Updated to 2.1.
2006/03/23 Package: setarch Updated to 1.9.
2006/03/11 Package: postfix Updated to 2.2.9.
2006/03/11 Package: gnupg SECURITY FIX Severity: medium, indirect, passive
Updated to 1.4.2.2. This includes fixes for the signature verification
vulnerabilities discovered by Tavis Ormandy of Gentoo.
References:
2006/03/05 Package: nmap Updated to 4.02 Alpha1.
2006/02/27 - 2006/03/05 Package: john Applied many minor corrections, including for better handling of certain uncommon scenarios and improper uses of John. Added a "keyboard cracker" to the default john.conf that will try sequences of adjacent keys on a keyboard as passwords.
2006/02/28 Package: iptables Updated to 1.3.5.
2006/02/20 Package: sed Updated to 4.1.5.
2006/02/20 Package: coreutils Updated to 5.94.
2006/02/20 Package: bash Updated to 3.1 patchlevel 8.
2006/02/20 Package: tar SECURITY FIX Severity: high, local, passive
Backported upstream fix for potential heap buffer overrun in handling
extended headers.
References:
$Owl: Owl/doc/CHANGES-current,v 1.210 2009/11/18 05:10:22 solar Exp $ |