Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 4 May 2013 13:11:10 +0200
From: Zenny <garbytrash@...il.com>
To: owl-users@...ts.openwall.com
Subject: Re: Owl-current and 3.0-stable 2013/04/08 snapshot

It is nice to learn about the update, but what makes me wonder is the
upstream for RHEL4 is alreade EoL (end of life) about a year ago (2012
Feb as far as I remember).

It would be nice if Owl get upgraded to be compatible with the
packages for RHEL6/CentOS6 which has an end of life for 10 years? If
not at least, RHEL5/CentOS5 which alos has EoL for a decade.

Actually I encountered a lot of backward  incompatibility when I try
to use some applications.

Thanks!


On 4/11/13, Solar Designer <solar@...nwall.com> wrote:
> Hi,
>
> A few days ago, we've released new snapshots of Owl-current and Owl
> 3.0-stable, as usual including ISO images, OpenVZ container templates,
> binary packages for i686 and x86_64, and full sources:
>
> http://www.openwall.com/Owl/
>
> The Linux kernel has been rebased on the latest from OpenVZ's
> RHEL5-based branch (RHEL 5.9-based currently), thereby fixing a number
> of vulnerabilities including the PTRACE_SETREGS vs. process death race
> condition (CVE-2013-0871), which could allow for a local root compromise
> and OpenVZ container escape.  (However, the risk probability might have
> been low due to the race being difficult to win.)
>
> GnuPG has been updated to 1.4.13, which fixes a memory corruption bug
> (CVE-2012-6085).  The bug allowed an attacker to crash gpg(1) and
> corrupt the public keyring database file.  Arbitrary code execution was
> not possible because the attacker cannot control the corrupted data.
> The corrupted data is stored in the keyring file, so the DoS effect is
> persistent, but the keyring can be manually restored by recovering from
> the pubring.gpg~ backup file (which is created by gpg(1) itself).
>
> In Owl 3.0-stable, both of the above changes have been merged (although
> the kernel has fewer features enabled than Owl-current's), and
> additionally the earlier xinetd security update from Owl-current and
> some glibc bugfixes have been merged.  Owl 3.0-stable's kernel is now
> compressed with Zopfli (pigz -11) instead of gzip -9.
>
> More detail is available in the change logs:
>
> http://www.openwall.com/Owl/CHANGES-current.shtml
> http://www.openwall.com/Owl/CHANGES-3.0-stable.shtml
>
> There's one known regression in Owl-current as compared to 3.0-stable:
> the strace program fails to work against 32-bit x86 program binaries.
> Indeed, we're going to correct this.
>
> This Owl-current update is a lot more conservative than what we've been
> planning to have by this date.  Frankly, progress has been slow.  We did
> prepare an experimental update of Owl to RHEL6'ish kernels, and it was
> in fact committed, but in light of severe security issues discovered in
> the Linux kernel we chose to temporarily revert the major update and to
> provide the security fixes on top of a more stable system first.
>
> Alexander
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.