Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 17 Jun 2003 07:40:29 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Cc: lwn@....net
Subject: Linux 2.4.21-ow1, msulogin, Owl updates

Hi,

This is a cumulative announcement for several updates which have
occurred in the last three months.  I'll start with the latest.

Linux 2.4.21-ow1 is out and available for download at the usual
location:

	http://www.openwall.com/linux/

Linux 2.4.21 (and thus 2.4.21-ow1) adds numerous security fixes,
including to the kmod/ptrace race previously fixed in 2.2.25 and many
2.4.x-specific vulnerabilities (ioperm(2) allowing unauthorized direct
access to certain I/O ports, O_DIRECT information leaks, excessive CPU
consumption with networking, and more).

Linux 2.4.21-ow1, compared to previous versions of the patch for Linux
2.4.x, corrects the RLIMIT_NPROC enforcement to not apply to
privileged processes and to work also for 32-bit syscall emulation on
sparc64, ppc64, mips64, s390x, and 64-bit parisc, thanks to the report
from Brad Spengler.  It also has a harmless user-triggerable Oops
(kernel mode fault) in the GPF handler on x86/SMP fixed, thanks to the
PaX team.

Owl-current now fully supports Linux 2.4.x as well as 2.2.x, although
only 2.2.x is included and it's still the preferred choice.  This
means that not only will Owl run with a 2.4.x kernel (Owl 1.0 release
supported that already), but its userland may be fully rebuilt from
source ("make buildworld") with Linux 2.4.x kernel headers.

Another recent release is msulogin, a single user mode login program
which adds support for having multiple root accounts on a system.
It's a part of Owl-current but is also made available separately:

	http://www.openwall.com/msulogin/

More importantly, Owl-current now defaults to tcb, our alternative and
better password shadowing scheme.  This was already supported in Owl
1.0, but not made the default until recently.  Updating existing Owl
installs to Owl-current or the upcoming release results in automatic
conversion from /etc/shadow to tcb.  It is still possible to maintain
an Owl system with /etc/shadow should you require this level of
backwards compatibility, -- automatic conversion to tcb won't be
performed on updates if a system has been explicitly unconverted from
tcb.  Just to remind, our tcb suite is also available separately from
Owl primarily for re-use by other distributions:

	http://www.openwall.com/tcb/

Other recent changes to Owl-current include the addition of CVS and
Nmap packages (both with our modifications), replacing console-tools
with kbd, updates to Mutt 1.4.1i, mktemp 1.5, OpenSSH 3.6.1p2, OpenSSL
0.9.6j, util-linux 2.11z, xinetd 2.3.11, SysVinit 2.85, GnuPG 1.2.2,
lftp 2.6.6, and stmpclean 0.3.  We've imported many improvements from
ALT Linux, including libpam_userpass, much better command line parsing
in su(1), and various fixes and improvements to start-stop-daemon and
wall(1).  pam_tcb now implements proper fake salt creation for
non-existent or password-less accounts to reduce timing leaks, and our
login services know to make use of that functionality.

For a more complete and verbose list of Owl-current changes, please
refer to:

	http://www.openwall.com/Owl/CHANGES-current.shtml

-- 
Alexander Peslyak <solar@...nwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ