Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
Домашняя страница Owl
Другие языки
английский
Концепция
Процессорные архитектуры
Система сборки
Установка
Обновление
Скачать (HTTP, FTP, rsync, anoncvs)
CVSweb
Изменения
Изменения в current
Изменения в 3.1-stable
Изменения до 3.1
Изменения в 3.0-stable
Изменения до 3.0
Изменения в 2.0-stable
Изменения до 2.0
Изменения в 1.1-stable
Изменения до 1.1
Изменения до 1.0
Изменения в 0.1-stable
Графика для ссылок
Скриншоты
Слайды презентации
Wiki
OpenVZ-виртуализация
Пакеты
VPS-хостинг с Owl
Что пишут об Owl
This file lists the major changes made between the last released version of Owl and Owl-current. While some of the changes listed here may also be made to a stable branch, the complete lists of stable branch changes are included with those branches and as errata for the corresponding Owl releases only.

This is very far from an exhaustive list of changes. Small changes to individual packages won't be mentioned here unless they fix a security or a critical reliability problem. They are, however, mentioned in change logs for the packages themselves.

Security fixes have a "Severity" specified for the issue(s) being fixed. The three comma-separated metrics given after "Severity:" are: risk impact (low, medium, or high), attack vector (local, remote, or indirect), and whether the attack may be carried out at will (active) or not (passive). Please note that the specified risk impact is just that, it is not the overall severity, so other metrics are not factored into it. For example, a "high" impact "local, passive" issue is generally of lower overall severity than a "high" impact "remote, active" one - this is left up to our users to consider given their specific circumstances.

Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be persistent DoS (where the DoS effect does not go away with a (sub)system restart), data loss, bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack).

The metrics specified are generally those for a worst case scenario, however in certain cases ranges such as "none to low" or/and "local to remote" may be specified, referring to the defaults vs. a worst case yet "legitimate" custom configuration. In some complicated cases, multiple issues or attacks may be dealt with at once. When those differ in their severity metrics, we use slashes to denote the possible combinations. For example, "low/none to high, remote/local" means that we've dealt with issue(s) or attack(s) that are "low, remote" and those that are "none to high, local". In those tricky cases, we generally try to clarify the specific issue(s) and their severities in the description.

Changes made between Owl 3.1 and Owl-current.

2017/06/19	Package: kernel
SECURITY FIX	Severity: none to high, local, active

On SUID/SGID exec, limit the size of argv+envp to 512 KiB and the stack size to 10 MiB, similarly to what grsecurity did in 2012. This prevents some of the stack/heap clash attacks described by Qualys, while some others were already prevented for years by our glibc hardening changes. References:
http://www.openwall.com/lists/oss-security/2017/06/19/1
https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash

2017/06/15	Package: db4
SECURITY FIX	Severity: medium to high, local, active

Don't open the DB_CONFIG file in the current directory. This unexpected property of db4 could have allowed for local DoS, information leaks, and privilege escalation via programs using db4, including Postfix. Reference:
http://www.openwall.com/lists/oss-security/2017/06/15/3

2017/06/08	Package: kernel

Backported upstream reimplementation of restricted hard links, controllable via the fs.protected_hardlinks sysctl and enabled by default, similar to what we had as part of CONFIG_HARDEN_LINK in -ow patches and what grsecurity had as part of CONFIG_GRKERNSEC_LINK. This reinforces the group crontab vs. root privilege separation in our package of ISC/Vixie Cron. Reference:
http://www.openwall.com/lists/oss-security/2017/06/08/3

2017/04/02	Package: kernel
SECURITY FIX	Severity: high, local, active

Merged upstream fix to locking in net/ipv4/ping.c: ping_unhash(), where the race condition could have been exploited by container root into e.g. container escape. Without a vulnerability in ping(1), the issue was not triggerable by non-root users (neither host nor container). References:
http://www.openwall.com/lists/oss-security/2017/03/24/6
http://lists.openwall.net/netdev/2017/03/25/16

2017/01/25	Package: kernel
SECURITY FIX	Severity: high, local, active

Merged in a fix of use-after-free in the recvmmsg() exit path (CVE-2016-7117) from Red Hat's -417. The vulnerability appears likely to be exploitable locally. Remote exploitation might be possible as well, but would require specific (unlikely?) behavior of a service. References:
https://blog.lizzie.io/notes-about-cve-2016-7117.html
https://access.redhat.com/security/cve/cve-2016-7117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7117

2016/12/10	Package: kernel

Merged in Red Hat's CVE-2016-5195 "Dirty COW" fix while also keeping the mitigation introduced in Owl earlier. In the kernel build for x86-64, bumped up the maximum number of logical CPUs from 32 to 96, enabled support for NUMA, huge pages, hugetlbfs, modules for I2C and many sensors (similar to what's enabled in RHEL) and CPU microcode update.

2016/10/23	Package: kernel
SECURITY FIX	Severity: high, local, active

Added a mitigation for the "Dirty COW" Linux kernel privilege escalation vulnerability (CVE-2016-5195). References:
http://www.openwall.com/lists/oss-security/2016/10/21/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195

2016/10/17 -
2016/10/21	Package: bind
SECURITY FIX	Severity: low, remote, active

Merged multiple DoS vulnerability fixes from Red Hat's package, most notably for two easily triggerable assertion failures (CVE-2016-2776, CVE-2016-2848). References:
http://www.openwall.com/lists/oss-security/2016/09/27/8
https://kb.isc.org/article/AA-01419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
http://www.openwall.com/lists/oss-security/2016/10/20/7
https://kb.isc.org/article/AA-01433/74/CVE-2016-2848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848

2016/08/23	Package: openssh

Backported upstream fix for a use-after-free in sshd's debugging output, with no known security impact.

2016/08/23	Package: openssl
SECURITY FIX	Severity: none to high, remote, active

Updated to 1.0.0t, which fixes the "X509_ATTRIBUTE memory leak" (CVE-2015-3195) and "Race condition handling PSK identify hint" (CVE-2015-3196) vulnerabilities. Neither of these affects the uses of OpenSSL in Owl, but third-party applications using Owl's OpenSSL might be affected. The "high" impact potential is for the double-free possibility mentioned in the OpenSSL advisory, even though the OpenSSL team has rated the corresponding issue as "low" overall severity (possibly considering its low risk probability, or/and other mitigating factors). This Owl package update also adds a CA certificate bundle. Reference:
https://www.openssl.org/news/secadv/20151203.txt

2016/08/23	Package: kernel
SECURITY FIX	Severity: low, local, active

Updated to 2.6.18-408.el5.028stab120.1, which addresses several DoS vulnerabilities, and additionally fixed a kernel panic triggerable via the move_pages() syscall. Reference:
https://openvz.org/Download/kernel/rhel5-testing/028stab120.1

2016/08/23	Package: gnupg
SECURITY FIX	Severity: medium, remote, passive

Updated to 1.4.21, which, compared to 1.4.18, fixes side-channel leaks (CVE-2014-3591, CVE-2015-0837) and a bug in the random number generator where an attacker who obtains 4640 bits from the RNG could trivially predict the next 160 bits of output (CVE-2016-6313). References:
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
http://www.openwall.com/lists/oss-security/2016/08/17/8
https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html
http://www.cs.tau.ac.il/~tromer/radioexp/

2016/07/20	Package: passwdqc

In version 1.3.1, fixed a bug in pam_passwdqc's rarely used "non-unix" option. The bug existed since passwdqc 1.1.3, released in 2009. Reference:
http://www.openwall.com/lists/announce/2016/07/22/1

2015/08/01	Package: openssl
SECURITY FIX	Severity: none to medium, remote, passive to active

Updated to 1.0.0s, which fixes many Low and Moderate severity issues (per OpenSSL's classification), as well as one High severity issue in the client: silent downgrades of RSA to EXPORT_RSA (CVE-2015-0204), with the corresponding attack known as FREAK. References:
https://www.openssl.org/news/secadv_20150108.txt
https://www.openssl.org/news/secadv_20150319.txt
https://www.openssl.org/news/secadv_20150611.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
https://freakattack.com
https://en.wikipedia.org/wiki/FREAK

2015/07/31	Package: bind
SECURITY FIX	Severity: low, remote, active

Merged multiple DoS vulnerability fixes from Red Hat's package, most notably for the easily triggerable error in handling of TKEY queries (CVE-2015-5477). References:
http://www.openwall.com/lists/oss-security/2015/07/29/3
https://kb.isc.org/article/AA-01272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477

2015/06/11	Package: kernel
SECURITY FIX	Severity: high, local, active

Fixed OpenVZ container filesystem (simfs) escape vulnerability via bind mounts (CVE-2015-2925). References:
https://bugs.openvz.org/browse/OVZ-6296
http://www.openwall.com/lists/oss-security/2015/04/03/7
https://access.redhat.com/security/cve/CVE-2015-2925
https://bugzilla.redhat.com/show_bug.cgi?id=1209367

2015/06/09	Package: kernel
SECURITY FIX	Severity: high, local, active

Updated to 2.6.18-406.el5.028stab119.1. Most importantly, this fixes a possible I/O vector array overrun, which could allow for local privilege escalation (CVE-2015-1805). References:
https://openvz.org/Download/kernel/rhel5-testing/028stab119.1
http://rhn.redhat.com/errata/RHSA-2015-1042.html
http://www.openwall.com/lists/oss-security/2015/06/06/2
https://openvz.org/Download/kernel/rhel5/028stab118.1
http://rhn.redhat.com/errata/RHSA-2015-0164.html

2015/03/06	Package: strace

Updated to 4.10.

2015/01/28	Package: glibc
SECURITY FIX	Severity: none to high, remote, active

Backported upstream's fix for a buffer overflow in gethostbyname*() functions, which could be triggered via a crafted IP address argument. Depending on the application that uses these functions, this vulnerability could allow a local or a remote attacker to execute arbitrary code. Due to the analysis by Qualys (referenced below), it is known that the issue could be exploited remotely via Exim (which we do not include in Owl) or locally via clockdiff or procmail if these are installed SUID/SGID or with filesystem capabilities (not the case on Owl). While there's no known security impact on Owl itself, Owl with third-party software added (as many real-world installs have) may be affected, with worst-case impact ranging up to a remote root compromise. References:
http://www.openwall.com/lists/oss-security/2015/01/27/9
https://blog.qualys.com/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
https://sourceware.org/bugzilla/show_bug.cgi?id=15014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

2015/01/26	Package: libnss
SECURITY FIX	Severity: none to medium, indirect, passive

Updated to 3.17.3. which includes a fix for "RSA PKCS#1 signature verification forgery is possible due to too-permissive SignatureAlgorithm parameter parsing" (CVE-2014-1568) since version 3.17.1. The only part potentially affected by this in Owl is RPM since it is the only package using NSS currently, although we do not use RPM's signature verification for Owl's own packages (we use GnuPG-signed mtree files instead). References:
https://bugzilla.mozilla.org/show_bug.cgi?id=1064636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568

2015/01/26	Package: libnspr

Updated to 4.10.7.

2015/01/04	Package: openssl
SECURITY FIX	Severity: none to medium, remote, active

Updated to 1.0.0o, which fixes "Information leak in pretty printing functions" (CVE-2014-3508), "Race condition in ssl_parse_serverhello_tlsext" (CVE-2014-3509), "Session Ticket Memory Leak" (CVE-2014-3567), and adds support for "SSL 3.0 Fallback protection" to let applications mitigate POODLE (CVE-2014-3566). References:
https://www.openssl.org/news/secadv_20140806.txt
https://www.openssl.org/news/secadv_20141015.txt

2015/01/04	Package: bash

Updated to 3.1 patchlevel 23.

2015/01/04	Package: help2man

New package: help2man, which creates simple man pages from the output of programs. It currently generates the diff(1) man page during Owl build.

2014/12/28	Package: kernel
SECURITY FIX	Severity: none to high, local, active

Updated to 2.6.18-400.el5.028stab117.2, which most importantly fixes a local privilege escalation vulnerability on x86-64 (CVE-2014-9322). References:
https://openvz.org/Download/kernel/rhel5/028stab117.2
http://www.openwall.com/lists/oss-security/2014/12/15/6
https://rhn.redhat.com/errata/RHSA-2014-2008.html
https://rhn.redhat.com/errata/RHSA-2014-1959.html
https://openvz.org/Download/kernel/rhel5/028stab116.1
https://rhn.redhat.com/errata/RHBA-2014-1196.html
https://rhn.redhat.com/errata/RHSA-2014-1143.html
https://rhn.redhat.com/errata/RHSA-2014-0926.html

2014/10/25	Package: tzdata

Updated to 2014i.

2014/09/25 -
2014/09/27	Package: bash
SECURITY FIX	Severity: none to high, remote, active

Updated to 3.1 patchlevel 19 with additional patches by Florian Weimer of Red Hat. This fixes vulnerabilities with and introduces security hardening of function imports, which could in many setups be exploited remotely. References:
http://www.openwall.com/lists/oss-security/2014/09/24/10
http://www.openwall.com/lists/oss-security/2014/09/24/11
http://www.openwall.com/lists/oss-security/2014/09/24/40
http://www.openwall.com/lists/oss-security/2014/09/25/5
http://www.openwall.com/lists/oss-security/2014/09/25/13
http://www.openwall.com/lists/oss-security/2014/09/25/32
http://www.openwall.com/lists/oss-security/2014/09/26/2
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
https://access.redhat.com/blogs/766093/posts/1976383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

2014/08/16	Package: strace

Updated to 4.9.

2014/07/12	Package: sqlite

Introduced a new package due to the new RPM requirements.

2014/07/12	Package: rpm

Updated to 4.11.2. The payload compression method was changed from bzip2 to xz.

2014/07/12	Package: mpfr

Updated to 3.1.2 patch-level 8.

2014/07/12	Package: m4

Updated to 1.4.17.

2014/07/12	Package: libtool

Updated to 2.4.2.

2014/07/12	Package: libpopt

Updated to 1.16. Introduced the libpopt library as an independent, separate package.

2014/07/12	Package: libnss

Introduced a new package due to the new RPM requirements.

2014/07/12	Package: libnspr

Introduced a new package due to the new RPM requirements.

2014/07/12	Package: libnet

Updated to 1.2-rc3.

2014/07/12	Package: libmpc

Updated to 1.0.2.

2014/07/12	Package: gmp

Updated to 6.0.0a.

2014/07/12	Package: gettext

Updated to 0.19.1.

2014/07/12	Package: gdbm

Updated to 1.11.

2014/07/12	Package: flex

Updated to 2.5.39.

2014/07/12	Package: file

Updated to 5.19.

2014/07/12	Package: coreutils

Updated to 8.22.

2014/07/12	Package: bison

Updated to 3.0.2.

2014/07/12	Package: automake

Updated to 1.14.

2014/07/12	Package: autoconf

Updated to 2.69.

$Owl: Owl/doc/CHANGES-current,v 1.33 2017/06/19 17:39:45 solar Exp $

Powered by Openwall GNU/*/Linux - Powered by OpenVZ