Date: Sat, 4 May 2013 13:11:10 +0200 From: Zenny <garbytrash@...il.com> To: owl-users@...ts.openwall.com Subject: Re: Owl-current and 3.0-stable 2013/04/08 snapshot It is nice to learn about the update, but what makes me wonder is the upstream for RHEL4 is alreade EoL (end of life) about a year ago (2012 Feb as far as I remember). It would be nice if Owl get upgraded to be compatible with the packages for RHEL6/CentOS6 which has an end of life for 10 years? If not at least, RHEL5/CentOS5 which alos has EoL for a decade. Actually I encountered a lot of backward incompatibility when I try to use some applications. Thanks! On 4/11/13, Solar Designer <solar@...nwall.com> wrote: > Hi, > > A few days ago, we've released new snapshots of Owl-current and Owl > 3.0-stable, as usual including ISO images, OpenVZ container templates, > binary packages for i686 and x86_64, and full sources: > > http://www.openwall.com/Owl/ > > The Linux kernel has been rebased on the latest from OpenVZ's > RHEL5-based branch (RHEL 5.9-based currently), thereby fixing a number > of vulnerabilities including the PTRACE_SETREGS vs. process death race > condition (CVE-2013-0871), which could allow for a local root compromise > and OpenVZ container escape. (However, the risk probability might have > been low due to the race being difficult to win.) > > GnuPG has been updated to 1.4.13, which fixes a memory corruption bug > (CVE-2012-6085). The bug allowed an attacker to crash gpg(1) and > corrupt the public keyring database file. Arbitrary code execution was > not possible because the attacker cannot control the corrupted data. > The corrupted data is stored in the keyring file, so the DoS effect is > persistent, but the keyring can be manually restored by recovering from > the pubring.gpg~ backup file (which is created by gpg(1) itself). > > In Owl 3.0-stable, both of the above changes have been merged (although > the kernel has fewer features enabled than Owl-current's), and > additionally the earlier xinetd security update from Owl-current and > some glibc bugfixes have been merged. Owl 3.0-stable's kernel is now > compressed with Zopfli (pigz -11) instead of gzip -9. > > More detail is available in the change logs: > > http://www.openwall.com/Owl/CHANGES-current.shtml > http://www.openwall.com/Owl/CHANGES-3.0-stable.shtml > > There's one known regression in Owl-current as compared to 3.0-stable: > the strace program fails to work against 32-bit x86 program binaries. > Indeed, we're going to correct this. > > This Owl-current update is a lot more conservative than what we've been > planning to have by this date. Frankly, progress has been slow. We did > prepare an experimental update of Owl to RHEL6'ish kernels, and it was > in fact committed, but in light of severe security issues discovered in > the Linux kernel we chose to temporarily revert the major update and to > provide the security fixes on top of a more stable system first. > > Alexander >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.