Follow @Openwall on Twitter for new release announcements and other news
Owl homepage
Other languages
Build environment
Installation instructions
Upgrade instructions
Download (HTTP, FTP, rsync, anoncvs)
Change logs
Changes in current
Changes in 3.1-stable
Changes up to 3.1
Changes in 3.0-stable
Changes up to 3.0
Changes in 2.0-stable
Changes up to 2.0
Changes in 1.1-stable
Changes up to 1.1
Changes up to 1.0
Changes in 0.1-stable
Presentation slides
OpenVZ virtualization
Owl VPS hosting
Owl in the news
This file lists all changes made between Owl 1.1 and its corresponding stable branch. Please note that the release itself remains fixed; it's only the stable branch which has these changes.

Changes made between Owl 1.1 and Owl 1.1-stable.

2005/05/15	kernel
SECURITY FIX	Severity: high, local, active

Updated to Linux 2.4.30-ow3. This version fixes the ELF core dump vulnerability discovered by Paul Starzetz. References:

2005/03/28	Package: telnet
SECURITY FIX	Severity: high, remote, passive

Corrected the slc_add_reply() and env_opt_add() buffer overflows which might have allowed a malicious Telnet server to execute arbitrary machine code within the context of the telnet client process used to connect to the server. References:

2005/02/06	Package: cpio
SECURITY FIX	Severity: low, local, passive

Obey the current umask when creating output files; previously, the files would be created with mode 666. Thanks to Mike O'Connor for bringing this up. Reference:

2005/01/20	kernel
SECURITY FIX	Severity: high, local, active

Updated to Linux 2.4.29-ow1. Linux 2.4.29, and thus 2.4.29-ow1, adds a number of security fixes, including to the x86/SMP page fault handler and the uselib(2) race conditions, both discovered by Paul Starzetz. The potential of these bugs is a local root compromise. The uselib(2) bug does not affect default builds of Linux kernels with the Openwall patch applied since the vulnerable code is only compiled in if one explicitly enables CONFIG_BINFMT_ELF_AOUT, an option introduced by the patch. References:

2004/11/23 -
2004/11/28	kernel; Package: net-tools
SECURITY FIX	Severity: low to high, local/remote, active/passive

Updated to Linux 2.4.28-ow1. Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related bugs, including the ELF loader vulnerabilities discovered by Paul Starzetz (confirmed: ability for users to read +s-r binaries; potential: local root), a race condition with reads from Unix domain sockets (potential local root), smbfs support vulnerabilities discovered by Stefan Esser (confirmed: remote DoS by a malicious smbfs server; potential: remote root by a malicious server). References:

2004/08/04 -
2004/08/15	kernel
SECURITY FIX	Severity: none to high, local, active

Updated to Linux 2.4.26-ow3 and further to 2.4.27-ow1. This corrects the access control check which previously wrongly allowed any local user to change the group ownership of arbitrary NFS-exported/imported files and adds a workaround for the file offset pointer races discovered by Paul Starzetz. The former is only exploitable when files are NFS-exported from a server running a vulnerable version of Linux 2.4.x, and the currently publicly known exploit for the latter relies on code enabled with CONFIG_MTRR kernel build option which has not been enabled in the default kernels on Owl CDs. However, as the potential impact of both issues is a local root compromise, an upgrade of older Linux 2.4.x installs to 2.4.26-ow3+ is highly recommended. References:

2004/06/26	Package: dhcp

Added a bounds checking patch covering sprintf() calls with "%s" format specifier and non-constant strings and forcing the use of snprintf() and vsnprintf() in all places where that was previously supported but not enabled. Thanks to Gregory Duchemin for discovering that some of these actually resulted in a vulnerability in versions of the DHCP suite newer than the one we're using in Owl.

2004/06/19	kernel
SECURITY FIX	Severity: low to high, local, active

Updated to Linux 2.4.26-ow2. This fixes multiple security-related bugs in the Linux kernel (those discovered by Al Viro using "Sparse", fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some others) as well as two non-security bugs in the -ow patch itself. Which of these bugs affect a particular build of the Linux kernel depends on what drivers are compiled in (or loaded as modules). For the default kernels on Owl CDs, it's only the Intel PRO/1000 Gigabit Ethernet driver (e1000) which has a vulnerability allowing for more than a DoS attack fixed with this update. References:

2004/06/09	Package: shadow-utils
SECURITY FIX	Severity: none to low, local, active

Properly check the return value from pam_chauthtok(3) in chfn(1) and chsh(1). Previously, if chfn and/or chsh commands would be enabled for non-privileged users with control(8), it would have been possible for a logged in user with an expired password to change their "Full Name" and login shell without having to change the password. Thanks to Steve Grubb and Martin Schulze for discovering this problem.

2004/05/18 -
2004/06/09	Package: cvs
SECURITY FIX	Severity: none to high, remote, active

Added back-ports of fixes for multiple CVS server vulnerabilities, some of which are known to be exploitable allowing for a malicious client to execute arbitrary code within the CVS server. Thanks to Stefan Esser, Sebastian Krahmer, and Derek Robert Price for finding and fixing these bugs. Despite these fixes, it should not be assumed that CVS server provides any security against a malicious client. If required, any restrictions on the actions CVS server is allowed to perform should be imposed at the OS level. References:

2004/06/07	Package: openssh
SECURITY FIX	Severity: high, remote, passive

Fixed directory traversal vulnerability in scp which allowed malicious SSH servers to overwrite arbitrary files on the client system. Reference:

2004/04/22	kernel
SECURITY FIX	Severity: high, local, active

Updated to Linux 2.4.26-ow1. Linux 2.4.26 (and thus 2.4.26-ow1) fixes an integer overflow vulnerability in processing of the MCAST_MSFILTER socket option discovered by Paul Starzetz. When properly exploited, the bug would lead to a local root compromise. Also included in this kernel release is a fix for the ext3/XFS information leak discovered by Solar Designer and a number of other relatively minor fixes. References:

2004/04/14	Package: cvs
SECURITY FIX	Severity: high, remote, passive

Added a fix to the CVS client to ensure that pathnames provided by a CVS server point to within the working directory. Without this fix, a malicious CVS server could cause the CVS client to attempt to create files at arbitrary locations thus gaining control over the user account. This problem has been brought to the attention of CVS developers and distribution vendors by Sebastian Krahmer of SuSE. Additionally, CVS server has been further restricted to disallow the use of relative pathnames to view files outside of the CVS repository. However, despite this last fix, it should not be assumed that CVS server provides any security against a malicious client being able to access arbitrary files available under the privileges granted to the CVS server at the OS level. References:

2004/04/14	Package: openssl
SECURITY FIX	Severity: low, remote, passive to active

Updated to 0.9.6m. This release of OpenSSL fixes a NULL pointer dereference during SSL handshake. If triggered, the bug would cause the remote process or thread to crash. Depending on the application this could lead to a denial of service. For the applications which are a part of Owl, it's only individual invocations of network clients which are affected and may be caused to crash by a malicious server. References:

2004/04/14	Package: SimplePAMApps

In login(1) and su(1), generate ut_id's consistently with libutempter and OpenSSH (patch from Dmitry V. Levin of ALT Linux). This will make "su -" replace existing utmp entries for the duration of the su session.

2004/04/14	Owl/doc/*, Owl/doc/*/*

Sync'ed with post-release documentation updates which are pertinent to 1.1-stable.

2004/01/17	Package: procps

In top, handle ticks going backwards gracefully. This may happen due to kernel and hardware issues and previously resulted in top reporting absurd idle processor time percentages under high load on SMP systems.

(2004/01/15 - 2004/01/17)
2004/01/17	Package: readline

Corrected a packaging error where the readline library usage examples were incorrectly placed under /usr/doc/examples instead of under readline's documentation directory.

2004/01/15	Package: john

Corrected a segfault with --stdin introduced with John

2004/01/15	Owl/doc/DOWNLOAD, Owl/doc/*/DOWNLOAD, Owl/doc/fr/CREDITS

Sync'ed with the minor post-release updates made in Owl-current.

$Owl: Owl/doc/CHANGES-1.1-stable,v 2018/05/23 20:09:58 solar Exp $