Date: Thu, 24 May 2018 22:21:10 +0200 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com, owl-users@...ts.openwall.com Subject: [openwall-announce] Owl update Hi, As some of you are aware, our Openwall GNU/*/Linux (Owl) project has been on hold for a long while now, with its future unclear: http://www.openwall.com/lists/owl-users/2014/12/30/1 That said, we still happen to maintain it, fixing (only) the most critical vulnerabilities. As part of such maintenance, I've generated and released new Owl-current and Owl 3.1-stable ISOs and OpenVZ container templates earlier today, and these have already propagated to some of the mirrors: http://www.openwall.com/Owl/ Changes since the previous set of ISOs and templates released in August 2016 include very recent security updates to the RHEL5/OpenVZ-based Linux kernel and a similarly recent switch from procps to procps-ng plus all 126 patches released by Qualys. Also included are our earlier security and other updates that were previously released only in the form of source code and pre-built packages (not new ISOs & templates until today). I'd like to thank Vasily Averin of OpenVZ for his assistance with our preparation of this Owl kernel update. Vasily was kind enough to help us with this even though OpenVZ's own RHEL5-based branch reached EOL in February 2018. Since this is not based on an official OpenVZ update and the testing was ours rather than theirs, any bugs there might be in this update are also ours rather than theirs. Listed below are important Owl-current changes since the 2016 ISOs & templates. Owl 3.1-stable includes similar security fixes, but not the non-security changes. Please refer to the Owl 3.1-stable change log linked off the Owl homepage above for its specifics. 2018/05/24 Package: lftp Updated to 4.8.3. 2018/05/23 Packages: procps, procps-ng SECURITY FIX Severity: high, local, passive Replaced procps with procps-ng 3.3.14 plus all Qualys patches fixing a number of issues that Qualys found during their security audit, including some issues that might have allowed successful attacks on a user (or root) invoking top(1) or other procps programs. References: http://www.openwall.com/lists/oss-security/2018/05/17/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1122 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1123 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1124 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1125 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1126 2018/05/21 Package: kernel SECURITY FIX Severity: low to high, local, active Updated to 2.6.18-431.el5.028stab123.1. This is a belated (with Owl being barely on life support at this point) addition of kernel page table isolation (KPTI) on x86-64 (only) as a software fix for Meltdown (CVE-2017-5754) - an issue that allowed userspace processes to read kernel memory (except on AMD CPUs). Also included is a fix for the "POP SS" vulnerability (CVE-2018-8897), which allowed for a local DoS attack. However, this update does not mitigate the set of CPU vulnerabilities known as Spectre, although the exposure to them might be lower than it is in newer kernels because of the lack of eBPF. References: https://meltdownattack.com https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html http://www.openwall.com/lists/oss-security/2018/05/08/4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897 2017/10/25 Package: glibc SECURITY FIX Severity: none to high, remote, active Backported upstream fix for the recently discovered glob heap buffer overflow (CVE-2017-15670) and while at it also for integer overflows in pvalloc, valloc, posix_memalign/memalign/aligned_alloc (CVE-2013-4332). References: http://www.openwall.com/lists/oss-security/2017/10/21/5 https://sourceware.org/bugzilla/show_bug.cgi?id=22320 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670 http://www.openwall.com/lists/oss-security/2013/09/12/6 https://sourceware.org/bugzilla/show_bug.cgi?id=15855 https://sourceware.org/bugzilla/show_bug.cgi?id=15856 https://sourceware.org/bugzilla/show_bug.cgi?id=15857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4332 2017/10/19 Package: kernel SECURITY FIX Severity: none to high, local, active Updated to 2.6.18-419.el5.028stab122.4. This addresses the issue of Position Independent Executables' (PIE) data potentially overlapping in memory with their stack areas (CVE-2017-1000253). (Un)fortunately, on Owl we do not yet build our SUID/SGID binaries as PIE (which would be a security enhancement if it were not for this issue), so this did not affect Owl itself, but it could affect third-party SUID/SGID binaries installed on Owl (including e.g. as part of third-party distros in containers). The many other security issues also addressed with this upstream update, as compared to the much older upstream revision we built upon previously, had already been fixed or worked around in prior kernel updates for Owl. References: http://www.openwall.com/lists/oss-security/2017/09/26/16 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000253 https://openvz.org/Download/kernel/rhel5/028stab122.4 https://openvz.org/Download/kernel/rhel5/028stab122.3 https://openvz.org/Download/kernel/rhel5/028stab122.2 https://openvz.org/Download/kernel/rhel5/028stab122.1 https://openvz.org/Download/kernel/rhel5/028stab120.3 https://openvz.org/Download/kernel/rhel5/028stab120.2 2017/06/19 Package: kernel SECURITY FIX Severity: none to high, local, active On SUID/SGID exec, limit the size of argv+envp to 512 KiB and the stack size to 10 MiB, similarly to what grsecurity did in 2012. This prevents some of the stack/heap clash attacks described by Qualys, while some others were already prevented for years by our glibc hardening changes. References: http://www.openwall.com/lists/oss-security/2017/06/19/1 https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash 2017/06/15 Package: db4 SECURITY FIX Severity: medium to high, local, active Don't open the DB_CONFIG file in the current directory. This unexpected property of db4 could have allowed for local DoS, information leaks, and privilege escalation via programs using db4, including Postfix. Reference: http://www.openwall.com/lists/oss-security/2017/06/15/3 2017/06/08 Package: kernel Backported upstream reimplementation of restricted hard links, controllable via the fs.protected_hardlinks sysctl and enabled by default, similar to what we had as part of CONFIG_HARDEN_LINK in -ow patches and what grsecurity had as part of CONFIG_GRKERNSEC_LINK. This reinforces the group crontab vs. root privilege separation in our package of ISC/Vixie Cron. Reference: http://www.openwall.com/lists/oss-security/2017/06/08/3 2017/04/02 Package: kernel SECURITY FIX Severity: high, local, active Merged upstream fix to locking in net/ipv4/ping.c: ping_unhash(), where the race condition could have been exploited by container root into e.g. container escape. Without a vulnerability in ping(1), the issue was not triggerable by non-root users (neither host nor container). References: http://www.openwall.com/lists/oss-security/2017/03/24/6 http://lists.openwall.net/netdev/2017/03/25/16 2017/01/25 Package: kernel SECURITY FIX Severity: high, local, active Merged in a fix of use-after-free in the recvmmsg() exit path (CVE-2016-7117) from Red Hat's -417. The vulnerability appears likely to be exploitable locally. Remote exploitation might be possible as well, but would require specific (unlikely?) behavior of a service. References: https://blog.lizzie.io/notes-about-cve-2016-7117.html https://access.redhat.com/security/cve/cve-2016-7117 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7117 2016/12/10 Package: kernel Merged in Red Hat's CVE-2016-5195 "Dirty COW" fix while also keeping the mitigation introduced in Owl earlier. In the kernel build for x86-64, bumped up the maximum number of logical CPUs from 32 to 96, enabled support for NUMA, huge pages, hugetlbfs, modules for I2C and many sensors (similar to what's enabled in RHEL) and CPU microcode update. 2016/10/23 Package: kernel SECURITY FIX Severity: high, local, active Added a mitigation for the "Dirty COW" Linux kernel privilege escalation vulnerability (CVE-2016-5195). References: http://www.openwall.com/lists/oss-security/2016/10/21/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195 2016/10/17 - 2016/10/21 Package: bind SECURITY FIX Severity: low, remote, active Merged multiple DoS vulnerability fixes from Red Hat's package, most notably for two easily triggerable assertion failures (CVE-2016-2776, CVE-2016-2848). References: http://www.openwall.com/lists/oss-security/2016/09/27/8 https://kb.isc.org/article/AA-01419 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776 http://www.openwall.com/lists/oss-security/2016/10/20/7 https://kb.isc.org/article/AA-01433/74/CVE-2016-2848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848 Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.