|
|
This file lists all changes made between Owl 1.1 and its corresponding
stable branch. Please note that the release itself remains fixed; it's
only the stable branch which has these changes.
Changes made between Owl 1.1 and Owl 1.1-stable.
2005/05/15 kernel SECURITY FIX Severity: high, local, active
Updated to Linux 2.4.30-ow3. This version fixes the ELF core dump
vulnerability discovered by Paul Starzetz.
References:
2005/03/28 Package: telnet SECURITY FIX Severity: high, remote, passive
Corrected the slc_add_reply() and env_opt_add() buffer overflows which
might have allowed a malicious Telnet server to execute arbitrary
machine code within the context of the telnet client process used to
connect to the server.
References:
2005/02/06 Package: cpio SECURITY FIX Severity: low, local, passive
Obey the current umask when creating output files; previously, the
files would be created with mode 666. Thanks to Mike O'Connor for
bringing this up.
Reference:
2005/01/20 kernel SECURITY FIX Severity: high, local, active
Updated to Linux 2.4.29-ow1. Linux 2.4.29, and thus 2.4.29-ow1, adds
a number of security fixes, including to the x86/SMP page fault
handler and the uselib(2) race conditions, both discovered by Paul
Starzetz. The potential of these bugs is a local root compromise.
The uselib(2) bug does not affect default builds of Linux kernels with
the Openwall patch applied since the vulnerable code is only compiled
in if one explicitly enables CONFIG_BINFMT_ELF_AOUT, an option
introduced by the patch.
References:
2004/11/23 - 2004/11/28 kernel; Package: net-tools SECURITY FIX Severity: low to high, local/remote, active/passive
Updated to Linux 2.4.28-ow1. Linux 2.4.28, and thus 2.4.28-ow1, fixes
a number of security-related bugs, including the ELF loader
vulnerabilities discovered by Paul Starzetz (confirmed: ability for
users to read +s-r binaries; potential: local root), a race condition
with reads from Unix domain sockets (potential local root), smbfs
support vulnerabilities discovered by Stefan Esser (confirmed: remote
DoS by a malicious smbfs server; potential: remote root by a malicious
server).
References:
2004/08/04 - 2004/08/15 kernel SECURITY FIX Severity: none to high, local, active
Updated to Linux 2.4.26-ow3 and further to 2.4.27-ow1. This corrects
the access control check which previously wrongly allowed any local
user to change the group ownership of arbitrary NFS-exported/imported
files and adds a workaround for the file offset pointer races
discovered by Paul Starzetz. The former is only exploitable when
files are NFS-exported from a server running a vulnerable version of
Linux 2.4.x, and the currently publicly known exploit for the latter
relies on code enabled with CONFIG_MTRR kernel build option which has
not been enabled in the default kernels on Owl CDs. However, as the
potential impact of both issues is a local root compromise, an upgrade
of older Linux 2.4.x installs to 2.4.26-ow3+ is highly recommended.
References:
(2004/06/22) 2004/06/26 Package: dhcp Added a bounds checking patch covering sprintf() calls with "%s" format specifier and non-constant strings and forcing the use of snprintf() and vsnprintf() in all places where that was previously supported but not enabled. Thanks to Gregory Duchemin for discovering that some of these actually resulted in a vulnerability in versions of the DHCP suite newer than the one we're using in Owl.
2004/06/19 kernel SECURITY FIX Severity: low to high, local, active
Updated to Linux 2.4.26-ow2. This fixes multiple security-related
bugs in the Linux kernel (those discovered by Al Viro using "Sparse",
fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some
others) as well as two non-security bugs in the -ow patch itself.
Which of these bugs affect a particular build of the Linux kernel
depends on what drivers are compiled in (or loaded as modules). For
the default kernels on Owl CDs, it's only the Intel PRO/1000 Gigabit
Ethernet driver (e1000) which has a vulnerability allowing for more
than a DoS attack fixed with this update.
References:
2004/06/09 Package: shadow-utils SECURITY FIX Severity: none to low, local, active Properly check the return value from pam_chauthtok(3) in chfn(1) and chsh(1). Previously, if chfn and/or chsh commands would be enabled for non-privileged users with control(8), it would have been possible for a logged in user with an expired password to change their "Full Name" and login shell without having to change the password. Thanks to Steve Grubb and Martin Schulze for discovering this problem.
2004/05/18 - 2004/06/09 Package: cvs SECURITY FIX Severity: none to high, remote, active
Added back-ports of fixes for multiple CVS server vulnerabilities,
some of which are known to be exploitable allowing for a malicious
client to execute arbitrary code within the CVS server. Thanks to
Stefan Esser, Sebastian Krahmer, and Derek Robert Price for finding
and fixing these bugs. Despite these fixes, it should not be assumed
that CVS server provides any security against a malicious client. If
required, any restrictions on the actions CVS server is allowed to
perform should be imposed at the OS level.
References:
2004/06/07 Package: openssh SECURITY FIX Severity: high, remote, passive
Fixed directory traversal vulnerability in scp which allowed malicious
SSH servers to overwrite arbitrary files on the client system.
Reference:
(2004/04/18) 2004/04/22 kernel SECURITY FIX Severity: high, local, active
Updated to Linux 2.4.26-ow1. Linux 2.4.26 (and thus 2.4.26-ow1) fixes
an integer overflow vulnerability in processing of the MCAST_MSFILTER
socket option discovered by Paul Starzetz. When properly exploited,
the bug would lead to a local root compromise. Also included in this
kernel release is a fix for the ext3/XFS information leak discovered
by Solar Designer and a number of other relatively minor fixes.
References:
(2004/04/14) 2004/04/14 Package: cvs SECURITY FIX Severity: high, remote, passive
Added a fix to the CVS client to ensure that pathnames provided by a
CVS server point to within the working directory. Without this fix, a
malicious CVS server could cause the CVS client to attempt to create
files at arbitrary locations thus gaining control over the user
account. This problem has been brought to the attention of CVS
developers and distribution vendors by Sebastian Krahmer of SuSE.
Additionally, CVS server has been further restricted to disallow the
use of relative pathnames to view files outside of the CVS repository.
However, despite this last fix, it should not be assumed that CVS
server provides any security against a malicious client being able to
access arbitrary files available under the privileges granted to the
CVS server at the OS level.
References:
(2004/03/18) 2004/04/14 Package: openssl SECURITY FIX Severity: low, remote, passive to active
Updated to 0.9.6m. This release of OpenSSL fixes a NULL pointer
dereference during SSL handshake. If triggered, the bug would cause
the remote process or thread to crash. Depending on the application
this could lead to a denial of service. For the applications which
are a part of Owl, it's only individual invocations of network clients
which are affected and may be caused to crash by a malicious server.
References:
(2004/02/08) 2004/04/14 Package: SimplePAMApps In login(1) and su(1), generate ut_id's consistently with libutempter and OpenSSH (patch from Dmitry V. Levin of ALT Linux). This will make "su -" replace existing utmp entries for the duration of the su session.
2004/04/14 Owl/doc/*, Owl/doc/*/* Sync'ed with post-release documentation updates which are pertinent to 1.1-stable.
(2004/01/17) 2004/01/17 Package: procps In top, handle ticks going backwards gracefully. This may happen due to kernel and hardware issues and previously resulted in top reporting absurd idle processor time percentages under high load on SMP systems.
(2004/01/15 - 2004/01/17) 2004/01/17 Package: readline Corrected a packaging error where the readline library usage examples were incorrectly placed under /usr/doc/examples instead of under readline's documentation directory.
(2004/01/10) 2004/01/15 Package: john Corrected a segfault with --stdin introduced with John 1.6.34.2.
2004/01/15 Owl/doc/DOWNLOAD, Owl/doc/*/DOWNLOAD, Owl/doc/fr/CREDITS Sync'ed with the minor post-release updates made in Owl-current. $Owl: Owl/doc/CHANGES-1.1-stable,v 1.1.2.36 2018/05/23 20:09:58 solar Exp $ |