|
|
This file lists all changes made between Owl 3.0 and its corresponding
stable branch. Please note that the release itself remains fixed; it's
only the stable branch which has these changes.
The dates shown in braces indicate when an equivalent change went into Owl-current, where applicable. Security fixes have a "Severity" specified for the issue(s) being fixed. The three comma-separated metrics given after "Severity:" are: risk impact (low, medium, or high), attack vector (local, remote, or indirect), and whether the attack may be carried out at will (active) or not (passive). Please note that the specified risk impact is just that, it is not the overall severity, so other metrics are not factored into it. For example, a "high" impact "local, passive" issue is generally of lower overall severity than a "high" impact "remote, active" one - this is left up to our users to consider given their specific circumstances. Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be persistent DoS (where the DoS effect does not go away with a (sub)system restart), data loss, bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack). The metrics specified are generally those for a worst case scenario, however in certain cases ranges such as "none to low" or/and "local to remote" may be specified, referring to the defaults vs. a worst case yet "legitimate" custom configuration. In some complicated cases, multiple issues or attacks may be dealt with at once. When those differ in their severity metrics, we use slashes to denote the possible combinations. For example, "low/none to high, remote/local" means that we've dealt with issue(s) or attack(s) that are "low, remote" and those that are "none to high, local". In those tricky cases, we generally try to clarify the specific issue(s) and their severities in the description.
Changes made between Owl 3.0 and Owl 3.0-stable.
(2013/03/19 - 2013/04/07) 2013/04/08 Package: kernel SECURITY FIX Severity: high, local/indirect, active/passive
Updated to 2.6.18-348.3.1.el5.028stab106.2. The corresponding RHEL5
kernel updates fix a number of vulnerabilities, CVE IDs for the relevant
ones of which are referenced below. Most importantly, this fixes a
PTRACE_SETREGS vs. process death race condition (CVE-2013-0871), which
could allow a non-privileged local user to execute arbitrary code in the
kernel and thus escalate their privileges to root, escape from an OpenVZ
container, etc. (However, the risk probability might have been low due
to the race being difficult to win.)
References:
2013/04/07 Package: kernel Use "pigz -11" (Zopfli) to compress the kernel. On x86_64 changed CONFIG_ATL1 from =m back to =y.
(2013/02/23) 2013/02/23 Package: glibc
Backported a fix for a TLS handling bug that manifested itself as an
assertion failure on startup of some third-party program binaries, as
reproduced with Mozilla's build of Firefox 17.0.1:
(2012/08/18) 2013/02/23 Package: xinetd SECURITY FIX Severity: none to medium, remote, active
Updated to 2.3.15, which corrects an access control bypass vulnerability
in the normally disabled tcpmux service.
References:
(2012/08/14) 2013/02/23 Package: glibc Corrected the processing of '\x80' characters in extended DES-based crypt(3) hashes. A related issue affecting traditional DES-based crypt(3) hashes is known as CVE-2012-2143 in other projects using the same FreeSec code, but luckily in Owl we've been using this code only for the extended hashes (continuing to use upstream glibc's UFC-crypt for traditional ones), and these were only affected in terms of compatibility (with BSD/OS and certain other implementations), but not security. Hence, this is not a security fix.
(2013/02/22) 2013/02/23 Package: gnupg SECURITY FIX Severity: medium, indirect, passive
Updated to 1.4.13. This version fixes a memory corruption bug
(CVE-2012-6085). The bug allowed an attacker to crash gpg(1) and
corrupt the public keyring database file. Arbitrary code execution was
not possible because the attacker cannot control the corrupted data.
The corrupted data is stored in the keyring file, so the DoS effect is
persistent, but the keyring can be manually restored by recovering from
the pubring.gpg~ backup file (which is created by gpg(1) itself).
References:
(2012/02/25 - 2013/02/22) 2013/02/22 Package: kernel SECURITY FIX Severity: low/low to high, remote/local, active
Updated to 2.6.18-308.20.1.el5.028stab104.3. Enabled CONFIG_NFSD=m (NFS
server support) and CONFIG_EFI_PARTITION=y (GUID Partition Table (GPT)
support), on x86_64 changed CONFIG_ATL1 from =y to =m (requiring that
the Attansic L1 Gigabit Ethernet driver be loaded manually if needed)
because of the kernel size constraint that we have in Owl 3.0-stable.
Introduced the previously missed RLIMIT_NPROC check into
fs/compat.c: compat_do_execve() (used by 32-bit program binaries on
64-bit kernel). Introduced protection against unintended self-read by a
SUID/SGID program of /proc/<pid>/mem and /proc/<pid>/*maps files, based
on approaches taken in grsecurity patches. The corresponding RHEL5
kernel updates fix an IGMP remote DoS over LAN (CVE-2012-0207), local
DoS flaws in the epoll subsystem (CVE-2011-1083, CVE-2012-3375), ext4
filesystem local DoS flaws (CVE-2011-3638, CVE-2011-4086,
CVE-2012-2100), and a flaw in handling of robust list pointers of
user-space held futexes across execve(2) calls (CVE-2012-0028), which
could be used for privilege escalation via a SUID/SGID program that is
multi-threaded or/and has a memory-mapped device, file, or shared memory
segment (Owl does not include such SUID/SGID programs). Other security
flaws reported as fixed in the release notes referenced below do not
affect Owl's builds of the kernel.
References:
(2011/08/23 - 2012/02/09) 2012/02/09 Package: john
John the Ripper has been enhanced in numerous ways, bringing it up to
version 1.7.9.4. Some of the enhancements require a newer version of
GCC than what we have in Owl 3.0-stable, hence they have been disabled
for the Owl 3.0-stable build (but are enabled in Owl-current).
Reference:
(2012/01/25) 2012/01/25 Package: kernel SECURITY FIX Severity: low to high, local, active
Updated to 2.6.18-274.17.1.el5.028stab097.1. Of the security issues
mentioned in the Red Hat advisory referenced below, 5 are relevant to
Owl's build of the kernel. Their relevance to and impact on specific
Owl installs varies. Specifically, access to some /proc/<pid>/* special
files was not revoked on invocation of a SUID/SGID program, which
allowed for an ASLR bypass (easier exploitation of certain kinds of
other security flaws if present) as well as for an additional and
unintended way to interact with the program (e.g. causing it to fail
with a file lock held). Since Owl does not have any SUID binaries by
default (only having some SGIDs), the impact of this flaw on default
installs of Owl was greatly reduced. The remaining 4 flaws fixed with
this update are either reliably known or currently understood to be
limited to local denial of service (DoS), one of them requires that a
specially-crafted corrupted ext3 or ext4 filesystem be mounted, and two
are in the NFS client and thus require an NFS mount to be present and
accessible to a local attacker. Please refer to the CVE IDs and other
references below for more detail.
References:
(2011/12/27) 2012/01/25 Package: kernel SECURITY FIX Severity: medium, local, passive
Updated to 2.6.18-274.12.1.el5.028stab096.1, enabled build of the VIA
Rhine NIC driver (as a module). Although the corresponding RHEL update
fixed multiple vulnerabilities, only the taskstats io infoleak
(CVE-2011-2494) is relevant to Owl kernel builds.
References:
(2011/11/27) 2012/01/25 Package: kernel SECURITY FIX Severity: low to medium, local/remote, active
Updated to -274.7.1.el5.028stab095.1, which contains fixes for multiple
local and remote DoS vulnerabilities, including via triggering an ext4
filesystem implementation bug with writes into the last block of a file
in certain special circumstances, mremap(2) syscall, receiving of a
specially crafted packet when GRO is enabled, receiving of a specially
crafted packet on a bridge device, and via clock_gettime(2) syscall.
This kernel revision also improves the randomness of IPv4 sequence
numbers by moving from a 24-bit random component generated using MD4
plus a timer-based component to the full 32-bit numbers generated using
MD5. Owl is not affected by the rest of vulnerabilities reported in the
referenced Red Hat advisory as we don't build the corresponding
components. Also included with this update is an OpenVZ fix of "loosing
socket permissions in /dev with udev+tmpfs during CT restore (live
migration)", which may be relevant to certain non-Owl OpenVZ containers
being live-migrated on Owl host systems. Finally, we've changed the
default for CONFIG_PCNET32 from =m to =y for ease of use under VMware,
which emulates NIC of this type by default.
References:
(2011/12/27) 2012/01/25 Package: hardlink Fixed a bug in a code path triggered on error.
(2011/10/26) 2012/01/25 Package: owl-startup Added VLAN support (patch by Piotr Meyer).
2011/10/26 Package: tzdata Updated to 2011m.
2011/10/24 Package: pam SECURITY FIX Severity: none to high, local, active
Applied upstream fixes for two vulnerabilities in pam_env. This module
is not in use on default installs of Owl, and it never was, hence there
was no impact for default installs.
References:
(2011/10/09 - 2011/10/15) 2011/10/24 Packages: tzdata, glibc; Owl/build/installorder.conf Moved timezone data files from glibc to new package tzdata, updated it to version 2011l.
(2011/10/15) 2011/10/24 Package: hardlink New package: a program to consolidate duplicate files via hardlinks.
(2011/10/10) 2011/10/24 Package: rpm SECURITY FIX Severity: high, indirect, passive
Applied a fix for crash and potential arbitrary code execution when
processing a malformed/malicious package file. Although an RPM package
can, by design, execute arbitrary code when installed or even during
installation, this issue would potentially allow a specially-crafted RPM
package to execute arbitrary code when the package metadata is merely
queried, including for digital signature verification. Note that for
Owl RPM packages we do not rely on RPM's support for signatures;
instead, we sign *.mtree files. Please continue to verify detached
GnuPG signatures that we provide for such files with gpg(1), and then
verify RPM package files against the message digests found in *.mtree
files with mtree(8) (both of these tools are part of Owl). This kind of
verification was unaffected by this RPM issue. Please note that use of
RPM on untrusted package files, even if just to verify a signature,
remains risky despite of this recent fix: RPM package format and
processing are complicated, so further issues of this kind are likely.
References:
(2011/10/10) 2011/10/24 Package: SysVinit Applied a patch to set the shell name to /bin/bash, not /bin/sh, such that colored ls output is enabled on our LiveCD.
(2011/10/09) 2011/10/24 Packages: kernel, vzctl SECURITY FIX Severity: low, local, active
Updated the kernel to 2.6.18-274.3.1.el5.028stab094.3 (OpenVZ's latest
stable from their RHEL 5 based branch, now rebased on RHEL 5.7's).
Restricted permissions on /proc/slabinfo as a security hardening
measure. Moved some OpenVZ features to modules like it is done in
OpenVZ's official kernel builds. Changed CONFIG_UDF_FS=y to =m.
Changed CONFIG_BLK_DEV_CRYPTOLOOP and most CONFIG_CRYPTO_* from =y to
=m. On x86_64, changed CONFIG_PCNET32 and CONFIG_FORCEDETH (these are
some of the 100 Mbps NIC drivers) from =y to =m. Of the 100 Mbps NIC
drivers, we're leaving only those for Intel, Realtek, and
NE2000-compatible PCI NICs built into the kernel on x86_64 now. Set
CONFIG_SCSI_AIC94XX=y and CONFIG_BLK_CPQ_CISS_DA=y (the latter was
already =y on i686, now it is =y on x86_64 as well). Although we
reference two Red Hat security advisories below, none of the worse than
local DoS issues listed in those advisories affect our previous kernel
builds, either because we do not build the affected components, or in
case of CVE-2011-2495 because we already had the permissions on
/proc/PID/io restricted before Owl 3.0 release.
References:
(2011/09/07) 2011/09/09 Owl/build/{install*.sh,installorder.conf} Support for optional package tags has been added to installorder.conf and made use of in install*.sh scripts. Currently supported are: "D:" - CD only; "d:" - exclude from CD; "E:" - exclude from CD and OpenVZ container templates; "H:" - host only (exclude from OpenVZ container templates).
(2011/09/07) 2011/09/09 Package: owl-etc Added /etc/owl-release (with "Owl 3.0-stable" in it).
(2011/09/07) 2011/09/09 Package: owl-dev Create /dev/sd* devices for 16 disks, not just 8 like we did before.
(2011/07/27) 2011/09/09 Package: kernel SECURITY FIX Severity: none to high, local, active
Updated to 2.6.18-238.19.1.el5.028stab092.2. Enabled CONFIG_BONDING=m
in both i686 and x86_64 kernels, enabled CONFIG_BLK_CPQ_CISS_DA=m in the
x86_64 kernel (i686 already had it at "=y"). Applied a patch adding
limited support for LSISAS8208ELP (PCI device id 0x0059), which provides
access to individual hard drives. Moved the RLIMIT_NPROC check from
set_user() to execve(2) and adjusted set_user() so that it can't fail.
These changes were desirable to address missing setuid(2) return value
check vulnerabilities in user-space programs.
References:
(2011/05/03 - 2011/07/25) 2011/09/09 Package: rpm SECURITY FIX Severity: none to high, local, passive
Added a patch to remove unsafe file permissions (chmod'ing files to 0) on
package removal or upgrade to prevent continued access to such files via
hard-links possibly created by a user. With this same update, we've also
fixed a non-security regression in %patch.
References:
(2011/06/21 - 2011/07/17) 2011/09/09 Packages: glibc, pam, shadow-utils, tcb SECURITY FIX Severity: high, remote, active
crypt_blowfish has been updated to version 1.1 (and then to 1.2), which
fixes the 8-bit character handling bug and adds 8-bit test vectors and a
quick self-test on every password hash computation. The impact of this
bug was that most (but not all) passwords containing non-ASCII
characters with the 8th bit set were hashed incorrectly, resulting in
password hashes incompatible with those of OpenBSD's original
implementation of bcrypt. What's worse, in some cases (but not in all)
one, two, or three characters immediately preceding the 8-bit characters
were ignored by the password hash computation. Thus, many passwords
containing characters with the 8th bit set were significantly easier to
crack than it was previously expected. This primarily applies to
offline attacks against the password hashes (if the hashes are leaked or
stolen), but in rare extreme cases it might also apply to remote
password guessing attacks. In practice, passwords with non-ASCII
characters are relatively uncommon and are typically more complicated
than average, so they're unlikely to be an attractive target for
attacks, despite of the weakness that this bug exposes them to. Yet the
risk is there. With this glibc update, existing users' passwords
containing characters with the 8th bit set will mostly stop working,
because the hashes will be computed correctly and not match the
incorrectly computed hashes recorded in the system. In order to allow
users to log in after the upgrade even if they have a potentially
affected password, the newly introduced backwards compatibility hash
encoding prefix of "$2x$" may be used. Such password hashes should only
be used during a transition period; when passwords are changed and
hashed using the correct algorithm, another newly introduced "$2y$"
prefix is used. After installation of this glibc update, login services
such as sshd(8) should be restarted ("service sshd restart" and so on)
in order for users' newly changed passwords (with the "$2y$" prefix on
the hash encodings) to be recognized.
References:
(2011/04/27 - 2011/06/22) 2011/09/09 Package: john
Updated to 1.7.8.
References:
(2011/01/24 - 2011/06/09) 2011/09/09 Package: lilo Updated to 23.2.
(2011/05/03) 2011/09/09 Package: iproute2 Updated to 2.6.38.
(2011/01/31 - 2011/05/03) 2011/09/09 Packages: iputils, owl-etc, owl-startup
Updated iputils to s20101006. Made use of our updated kernel's support
for non-raw ICMP sockets in ping(1).
References:
(2011/01/29 - 2011/03/17) 2011/09/09 Package: nmap Updated to 5.51.
(2011/03/15) 2011/09/09 Package: strace Updated to 4.6.
(2011/03/14) 2011/09/09 Package: iptables Changed the default for IPTABLES_STATUS_ARGS to "-nv". Most importantly, this disables the (risky and slow) reverse DNS lookups with "service iptables status".
(2011/02/05) 2011/09/09 Packages: usb_modeswitch, usb_modeswitch-data New packages: usb_modeswitch is a mode switching tool for controlling "flip flop" (multiple device) USB gear. usb_modeswitch-data contains the data files for usb_modeswitch.
(2011/02/05) 2011/09/09 Package: libusb-compat New package: libusb-compat is a compatibility layer allowing applications written for libusb-0.1 to work with libusb-1.0. It is needed for usb_modeswitch.
(2011/02/05) 2011/09/09 Package: shadow-utils Added USERNAME_RELAXED and GROUPNAME_RELAXED options to /etc/login.defs, which, if changed to "yes", will allow capital letters to be used in new usernames and/or group names, respectively.
(2011/01/30) 2011/09/09 Package: vconfig New package: vconfig is a user mode program to add and remove 802.1q VLAN virtual devices from Ethernet devices.
(2011/01/28) 2011/09/09 Package: usbutils New package: usbutils contains the lsusb utility for inspecting the devices connected to the USB bus.
(2011/01/28) 2011/09/09 Package: libusb1 New package: libusb is a library providing access to USB devices.
(2011/01/27) 2011/09/09 Package: bridge-utils New package: bridge-utils is a tool for configuring the Linux Ethernet bridge.
(2011/01/27) 2011/09/09 Package: pv New package: PV ("Pipe Viewer") is a tool for monitoring the progress of data through a pipeline.
(2011/01/27) 2011/09/09 Package: ethtool New package: ethtool is an utility for controlling network drivers and hardware, particularly for wired Ethernet devices.
(2011/01/25) 2011/09/09 Package: e2fsprogs Updated to 1.41.14.
(2011/01/24) 2011/09/09 Package: owl-startup Added "-s 131072" to the dmesg invocation in rc.sysinit. Without this change, /var/run/dmesg.boot was often incomplete.
(2011/01/28 - 2011/05/03) 2011/05/03 Package: kernel SECURITY FIX Severity: none to medium/low, local/remote, active
Updated to 2.6.18-238.9.1.el5.028stab089.1. This fixes obscure security
issues: kernel panic by unprivileged user via NFSv4 (CVE-2011-1090),
NULL pointer dereference in GRO code (CVE-2011-1478), a flaw in the
garbage collector for AF_UNIX sockets (CVE-2010-4249, local DoS), a flaw
in handling of received packets exceeding the buffer limit
(CVE-2010-4251, remote DoS) and a potential information leak in
net/core/ethtool.c: ethtool_get_regs() - this was the portion of
CVE-2010-4655 relevant to RHEL5 kernels. According to our analysis, the
latter issue did not affect installs with default OpenVZ container
settings, but it could affect systems where a network device was passed
into an OpenVZ container by an administrator. (The important and
relevant ones of the security fixes described in the Red Hat security
advisories referenced below were already included in our previous kernel
revision (in Owl 3.0) with our own backports from a "testing" Red Hat
kernel.) Updated atl1 driver (Attansic L1 Gigabit Ethernet). Disabled
the eepro100 driver in favor of e100, enabled Ethernet bridge support,
PPP_MPPE, and ULOG netfilter target. Made numerous kernel configuration
changes (enabled extra drivers, moved some to modules), documented the
changes (and the rationale behind them) in the change log for the kernel
package.
References:
(2011/03/21) 2011/03/26 Package: kernel SECURITY FIX Severity: none to medium, local, active
Backported fixes for information leaks in Netfilter modules: arp_tables
(CVE-2011-1170), ip_tables (CVE-2011-1171), ip6_tables (CVE-2011-1172),
and ipt_CLUSTERIP. One must have CAP_NET_ADMIN to exploit these issues
(e.g. in-container root may trigger the leak). The default Owl
installation is vulnerable to the infoleak in ip_tables only as we don't
ship other Netfilter modules nor have IPv6 enabled.
References:
(2011/02/18) 2011/03/12 Package: patchutils Updated to 0.3.2.
2011/03/02 Package: vsftpd SECURITY FIX Severity: none to low, remote, active
Updated to 2.3.4. This release corrects a DoS vulnerability discovered by
Maksymilian Arciemowicz where an attacker permitted to login to an FTP server
would be able to cause the vsftpd child process(es) spawned for their
session(s) to consume excessive amounts of CPU time. If the attack is carried
out on a sufficient number of FTP sessions (possibly from multiple source IP
addresses to exceed a possible per-source limit), the FTP service would become
unavailable and other services of the system would be greatly impacted.
References:
2011/03/01 Package: openssl SECURITY FIX Severity: none to medium, remote, active
Backported a fix for CVE-2010-4180. An old bug workaround in the
OpenSSL SSL/TLS server code allows malicious clients to modify the
stored session cache ciphersuite. In some cases the ciphersuite can be
downgraded to a weaker one on subsequent connections.
Backported a fix for CVE-2009-0590. The function ASN1_STRING_print_ex()
when used to print a BMPString or UniversalString would crash with an
invalid memory access if the encoded length of the string was illegal.
The impact of this flaw is limited to crash of the applications calling
affected openssl function. There are currently no known applications
printing untrusted certificates, where application crash would be
considered a security issue.
References:
(2011/02/09) 2011/03/01 Package: patch SECURITY FIX Severity: high, indirect, passive
Backported a fix for CVE-2010-4651. The patch utility allowed ".." in
pathnames, and it also allowed absolute pathnames, either of which could
allow an attacker to create or modify arbitrary files outside of the
intended directory tree using a specially-crafted patch file.
References:
(2011/01/24) 2011/03/01 Package: vim Moved a few syntax highlighting related files from the vim-syntax to the vim-enhanced subpackage to correct a packaging error where some files in vim-enhanced were dependent upon files from vim-syntax, which is not installed by default. $Owl: Owl/doc/CHANGES-3.0-stable,v 1.1.2.41 2018/05/23 20:01:28 solar Exp $ |