Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 11 Apr 2013 16:07:47 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, owl-users@...ts.openwall.com
Subject: [openwall-announce] Owl-current and 3.0-stable 2013/04/08 snapshot

Hi,

A few days ago, we've released new snapshots of Owl-current and Owl
3.0-stable, as usual including ISO images, OpenVZ container templates,
binary packages for i686 and x86_64, and full sources:

http://www.openwall.com/Owl/

The Linux kernel has been rebased on the latest from OpenVZ's
RHEL5-based branch (RHEL 5.9-based currently), thereby fixing a number
of vulnerabilities including the PTRACE_SETREGS vs. process death race
condition (CVE-2013-0871), which could allow for a local root compromise
and OpenVZ container escape.  (However, the risk probability might have
been low due to the race being difficult to win.)

GnuPG has been updated to 1.4.13, which fixes a memory corruption bug
(CVE-2012-6085).  The bug allowed an attacker to crash gpg(1) and
corrupt the public keyring database file.  Arbitrary code execution was
not possible because the attacker cannot control the corrupted data.
The corrupted data is stored in the keyring file, so the DoS effect is
persistent, but the keyring can be manually restored by recovering from
the pubring.gpg~ backup file (which is created by gpg(1) itself).

In Owl 3.0-stable, both of the above changes have been merged (although
the kernel has fewer features enabled than Owl-current's), and
additionally the earlier xinetd security update from Owl-current and
some glibc bugfixes have been merged.  Owl 3.0-stable's kernel is now
compressed with Zopfli (pigz -11) instead of gzip -9.

More detail is available in the change logs:

http://www.openwall.com/Owl/CHANGES-current.shtml
http://www.openwall.com/Owl/CHANGES-3.0-stable.shtml

There's one known regression in Owl-current as compared to 3.0-stable:
the strace program fails to work against 32-bit x86 program binaries.
Indeed, we're going to correct this.

This Owl-current update is a lot more conservative than what we've been
planning to have by this date.  Frankly, progress has been slow.  We did
prepare an experimental update of Owl to RHEL6'ish kernels, and it was
in fact committed, but in light of severe security issues discovered in
the Linux kernel we chose to temporarily revert the major update and to
provide the security fixes on top of a more stable system first.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ