|
Owl homepage
Andere Sprachen:
Konzepte
Download (HTTP, FTP, rsync, anoncvs,
CVSweb)
Änderungen: |
This file lists the major changes made between Owl releases. While
some of the changes listed here may also be made to a stable branch,
the complete lists of stable branch changes are included with those
branches and as errata for the corresponding Owl releases only.
This is very far from an exhaustive list of changes. Small changes to individual packages won't be mentioned here unless they fix a security or a critical reliability problem. They are, however, mentioned in change logs for the packages themselves. Security fixes have a "Severity" specified for the issue(s) being fixed. The three comma-separated metrics given after "Severity:" are: risk impact (low, medium, or high), attack vector (local, remote, or indirect), and whether the attack may be carried out at will (active) or not (passive). Please note that the specified risk impact is just that, it is not the overall severity, so other metrics are not factored into it. For example, a "high" impact "local, passive" issue is generally of lower overall severity than a "high" impact "remote, active" one - this is left up to our users to consider given their specific circumstances. Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be persistent DoS (where the DoS effect does not go away with a (sub)system restart), data loss, bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack). The metrics specified are generally those for a worst case scenario, however in certain cases ranges such as "none to low" or/and "local to remote" may be specified, referring to the defaults vs. a worst case yet "legitimate" custom configuration. In some complicated cases, multiple issues or attacks may be dealt with at once. When those differ in their severity metrics, we use slashes to denote the possible combinations. For example, "low/none to high, remote/local" means that we've dealt with issue(s) or attack(s) that are "low, remote" and those that are "none to high, local". In those tricky cases, we generally try to clarify the specific issue(s) and their severities in the description.
Changes made between Owl 3.0 and Owl 3.1.
2014/07/07 Package: glibc Added OpenBSD 5.5+ $2b$ prefix support to crypt_blowfish (same as $2y$).
2014/07/07 Package: gnupg SECURITY FIX Severity: medium, local/indirect, passive Updated to 1.4.18. Fixed since 1.4.13 are DoS via compressed data (CVE-2013-4402, CVE-2014-4617) and RSA side-channel vulnerabilities (CVE-2013-4242, CVE-2013-4576).
2014/07/07 Package: kernel SECURITY FIX Severity: none to high, local, active
Updated to 2.6.18-371.9.1.el5.028stab114.2, which contains security
fixes for the floppy disk driver in case a /dev/fd* device is accessible
to a non-trusted user (normally not the case on Owl). Added a hardening
measure against the ptrace SYSRET vulnerability (CVE-2014-4699), which
could allow for DoS or privilege escalation in x86_64 kernel builds
running on Intel CPUs, even though RHEL5 kernels are currently
understood to be unaffected.
References:
2014/06/09 Package: kernel SECURITY FIX Severity: high, local, active
Updated to 2.6.18-371.8.1.el5.028stab113.1, which is based on RHEL 5.10,
and contains numerous security fixes compared to the kernel revision we
were using before. Disabled this new kernel revision's RDRAND support
because it suffers from the security risks discussed after that code had
been introduced into mainline kernels (in particular, get_random_bytes()
could be less random under VMs). Enabled CPU frequency scaling, which
is needed on some modern servers to enable Intel's Turbo Boost (enabling
it in BIOS settings only is often not enough). To use it, load a module
appropriate for your hardware (e.g., "modprobe acpi-cpufreq") and
control the CPU frequency via sysfs (turbo is typically enabled by
setting the frequency on all logical CPUs to be nominally 1 KHz higher
than the CPU's highest non-turbo base frequency).
References:
2014/06/08 Package: openssl SECURITY FIX Severity: medium, remote, passive
Updated to 1.0.0m, which includes a fix for CCS Injection vulnerability
(CVE-2014-0224) and more.
References:
2013/04/20 - 2013/07/08 Package: john
Merged into the tree many changes, most of them sponsored by Rapid7
under their Magnificent7 program, which have ultimately resulted in
John the Ripper 1.8.0 release. The code in Owl was then updated some
further, up to version 1.8.0.2.
Reference:
2013/06/05 Package: strace Updated to 4.8.
2013/04/24 Package: passwdqc Updated to 1.3.0.
2013/04/07 Package: kernel
Updated to 2.6.18-348.3.1.el5.028stab106.2. The only change from our
previous kernel revision is OpenVZ's minor bugfix in NFS client code.
Reference:
2013/03/19 Package: kernel SECURITY FIX Severity: high, local/indirect, active/passive
Updated to 2.6.18-348.3.1.el5.028stab106.1. The corresponding RHEL5
kernel updates fix a number of vulnerabilities, CVE IDs for the relevant
ones of which are referenced below. Most importantly, this fixes a
PTRACE_SETREGS vs. process death race condition (CVE-2013-0871), which
could allow a non-privileged local user to execute arbitrary code in the
kernel and thus escalate their privileges to root, escape from an OpenVZ
container, etc. (However, the risk probability might have been low due
to the race being difficult to win.)
References:
2013/02/23 Package: glibc
Backported a fix for a TLS handling bug that manifested itself as an
assertion failure on startup of some third-party program binaries, as
reproduced with Mozilla's build of Firefox 17.0.1:
2013/02/22 Package: gnupg SECURITY FIX Severity: medium, indirect, passive
Updated to 1.4.13. This version fixes a memory corruption bug
(CVE-2012-6085). The bug allowed an attacker to crash gpg(1) and
corrupt the public keyring database file. Arbitrary code execution was
not possible because the attacker cannot control the corrupted data.
The corrupted data is stored in the keyring file, so the DoS effect is
persistent, but the keyring can be manually restored by recovering from
the pubring.gpg~ backup file (which is created by gpg(1) itself).
References:
2013/02/22 Package: kernel SECURITY FIX Severity: none to low, local/indirect, active/passive
Updated to 2.6.18-308.20.1.el5.028stab104.3. Enabled
CONFIG_EFI_PARTITION=y (GUID Partition Table (GPT) support) and
CONFIG_SOUND=m (the sound card driver subsystem) with the same set of
drivers as in RHEL5. The corresponding RHEL5 kernel updates fix a
divide-by-zero flaw in the ext4 filesystem code (CVE-2012-2100), which
could be triggered via a corrupted ext4 filesystem. This is only a
security issue if untrusted users are permitted to mount filesystems
or/and when mounting filesystems from untrusted sources; other and worse
attacks are likely possible in those cases, thereby making this one fix
relatively unimportant. Red Hat has also fixed a flaw in the dl2k
driver (CVE-2012-2313), which is not included in our kernel builds.
References:
2012/08/18 Package: openssl SECURITY FIX Severity: none to medium, remote, passive to active
Updated to 1.0.0j. This release corrects a buffer over-read flaw in the
handling of CBC mode ciphersuites in DTLS. No DTLS-using programs are
included in Owl, so it'd take a third-party program to make this flaw
actually triggerable on Owl.
References:
2012/08/18 Package: xinetd SECURITY FIX Severity: none to medium, remote, active
Updated to 2.3.15, which corrects an access control bypass vulnerability
in the normally disabled tcpmux service.
References:
2012/08/18 Package: kernel SECURITY FIX Severity: low, local, active
Updated to 2.6.18-308.11.1.el5.028stab102.1. The corresponding RHEL5
kernel update fixes a flaw in the epoll subsystem, which could be used
for a local DoS attack. Other security flaws reported as fixed in the
release notes referenced below do not affect Owl's builds of the kernel
(they're in Xen and extended taskstats functionality, which we do not
include).
References:
2012/08/14 Package: glibc Corrected the processing of '\x80' characters in extended DES-based crypt(3) hashes. A related issue affecting traditional DES-based crypt(3) hashes is known as CVE-2012-2143 in other projects using the same FreeSec code, but luckily in Owl we've been using this code only for the extended hashes (continuing to use upstream glibc's UFC-crypt for traditional ones), and these were only affected in terms of compatibility (with BSD/OS and certain other implementations), but not security. Hence, this is not a security fix.
2012/08/14 Package: slang Dropped S-Lang from Owl. We never made use of it in Owl itself.
2012/08/14 Package: binutils Updated to 2.23.51.0.1.
2012/07/23 Package: tcsh Updated to 6.18.01.
2012/05/12 Package: binutils Updated to 2.22.52.0.1.
2012/05/08 Package: syslinux Updated to 4.05.
2012/05/08 Package: lftp Updated to 4.3.6. Corrected an assertion failure with torrent peer id generation when the lftp PID is above 65535. Added a patch proposed by upstream to always obtain and report exact file timestamps.
2012/05/06 Package: openssl SECURITY FIX Severity: medium/high, remote/indirect, active/passive
Updated to 1.0.0i, which corrects numerous vulnerabilities discovered
since 1.0.0d (the version we had in Owl-current before). The attack
vectors and worst case impact of these vulnerabilities vary. The ASN1
BIO vulnerability (CVE-2012-2110) discovered by Tavis Ormandy of Google
Security Team and patched specifically in the 1.0.0i release in April
potentially allows for arbitrary code execution, but is not triggerable
via OpenSSL's SSL/TLS code, whereas worst case impact of other
vulnerabilities corrected with this update is lower.
References:
2012/05/06 Package: kernel SECURITY FIX Severity: low to high, local, active
Updated to 2.6.18-308.4.1.el5.028stab100.2, which includes a fix for
excessive in-kernel CPU time consumption when creating large nested
epoll structures (CVE-2011-1083) as reported by Nelson Elhage.
Corrected an Owl-specific mm (memory) leak and a reference count
overflow possibility (with non-obvious impact) that was inadvertently
introduced in 2.6.18-274.18.1.el5.028stab098.1.owl1 and which could be
triggered on i686 (not x86_64) on read attempts from /proc/<pid>/*maps
by other than the same program instance that opened these special files.
Reverted the dmesg_restrict sysctl tri-state feature in favor of the
approach taken by OpenVZ.
References:
2012/05/02 Package: strace Updated to 4.7.
2012/04/22 Package: hdparm Updated to 9.39, added packaging of the wiper.sh script (SSD trimming).
2012/03/03 Package: gcc Updated to 4.6.3.
2012/02/25 Package: kernel SECURITY FIX Severity: low/low to high, remote/local, active
Updated to 2.6.18-274.18.1.el5.028stab098.1, which fixes an IGMP remote
DoS over LAN (CVE-2012-0207), two ext4 filesystem local DoS flaws
(CVE-2011-3638, CVE-2011-4086), and a flaw in handling of robust list
pointers of user-space held futexes across execve(2) calls
(CVE-2012-0028), which could be used for privilege escalation via a
SUID/SGID program that is multi-threaded or/and has a memory-mapped
device, file, or shared memory segment (Owl does not include such
SUID/SGID programs). Introduced the previously missed RLIMIT_NPROC
check into fs/compat.c: compat_do_execve() (used by 32-bit program
binaries on 64-bit kernel). Introduced protection against unintended
self-read by a SUID/SGID program of /proc/<pid>/mem and
/proc/<pid>/*maps files, based on approaches taken in recent grsecurity
patches. Made the kernel.dmesg_restrict sysctl tri-state and
container-aware. Enabled CONFIG_NFSD=m, CONFIG_CIFS=m,
CONFIG_NET_SCHED=y, CONFIG_NET_RADIO=y, CONFIG_PCCARD=m and lots of WiFi
drivers as modules.
References:
2012/02/18 Package: glibc Enabled building of UTF-8 locales by default (adds 6.5 MB to glibc .rpm package size and 36 MB to installed system size on a filesystem with 4 KB blocks, unfortunately).
2012/02/12 - 2012/02/18 Package: gcc; Owl/build/.rpmmacros
Enabled -Wl,-z,relro and -Wl,-z,now by default as a security hardening
measure, rebuilt all packages. In most cases the performance impact is
non-existent or negligible. To disable these options (for whatever
reason), pass -Wl,-z,norelro and -Wl,-z,lazy to gcc, respectively.
Note: ld(1) still uses -z norelro and -z lazy by default; only gcc's
defaults are changed. (We already had -Wl,-z,relro in
Owl/build/.rpmmacros since 2011/11/04; now that change is reverted in
favor of gcc's change of default, and we've also added -Wl,-z,now.)
References:
2012/01/25 Package: kernel SECURITY FIX Severity: low to high, local, active
Updated to 2.6.18-274.17.1.el5.028stab097.1. Of the security issues
mentioned in the Red Hat advisory referenced below, 5 are relevant to
Owl's build of the kernel. Their relevance to and impact on specific
Owl installs varies. Specifically, access to some /proc/<pid>/* special
files was not revoked on invocation of a SUID/SGID program, which
allowed for an ASLR bypass (easier exploitation of certain kinds of
other security flaws if present) as well as for an additional and
unintended way to interact with the program (e.g. causing it to fail
with a file lock held). Since Owl does not have any SUID binaries by
default (only having some SGIDs), the impact of this flaw on default
installs of Owl was greatly reduced. The remaining 4 flaws fixed with
this update are either reliably known or currently understood to be
limited to local denial of service (DoS), one of them requires that a
specially-crafted corrupted ext3 or ext4 filesystem be mounted, and two
are in the NFS client and thus require an NFS mount to be present and
accessible to a local attacker. Please refer to the CVE IDs and other
references below for more detail.
References:
2011/12/27 Package: kernel SECURITY FIX Severity: medium, local, passive
Updated to 2.6.18-274.12.1.el5.028stab096.1, enabled build of the VIA
Rhine NIC driver (as a module). Although the corresponding RHEL update
fixed multiple vulnerabilities, only the taskstats io infoleak
(CVE-2011-2494) is relevant to Owl kernel builds.
References:
2011/12/27 Package: hardlink Fixed a bug in a code path triggered on error.
2011/11/27 Package: kernel SECURITY FIX Severity: low to medium, local/remote, active
Updated to -274.7.1.el5.028stab095.1, which contains fixes for multiple
local and remote DoS vulnerabilities, including via triggering an ext4
filesystem implementation bug with writes into the last block of a file
in certain special circumstances, mremap(2) syscall, receiving of a
specially crafted packet when GRO is enabled, receiving of a specially
crafted packet on a bridge device, and via clock_gettime(2) syscall.
This kernel revision also improves the randomness of IPv4 sequence
numbers by moving from a 24-bit random component generated using MD4
plus a timer-based component to the full 32-bit numbers generated using
MD5. Owl is not affected by the rest of vulnerabilities reported in the
referenced Red Hat advisory as we don't build the corresponding
components. Also included with this update is an OpenVZ fix of "loosing
socket permissions in /dev with udev+tmpfs during CT restore (live
migration)", which may be relevant to certain non-Owl OpenVZ containers
being live-migrated on Owl host systems. Finally, we've changed the
default for CONFIG_PCNET32 from =m to =y for ease of use under VMware,
which emulates NIC of this type by default.
References:
2011/11/23 Package: john
John the Ripper has been enhanced in numerous ways, most notably gaining
OpenMP parallelization for more hash types, resulting in its 1.7.9
release, which is also part of Owl (as usual). The Owl package of John
the Ripper now actually has OpenMP parallelization and support for Intel
AVX and AMD XOP enabled due to our move to GCC 4.6.x. It also includes
transparent fallback to non-OpenMP and/or pre-AVX program binaries when
the thread count would be 1 (such as because the system only has one
logical CPU) or when running on a CPU not supporting AVX, respectively.
Reference:
2011/10/29 Packages: syslinux, owl-cdrom; Owl/build/* Packaged SYSLINUX - a collection of boot loaders - and moved from LILO to ISOLINUX for the ISO-9660 images generated by "make iso".
2011/10/29 Package: gcc Updated to 4.6.2.
2011/10/26 Package: tzdata Updated to 2011m.
2011/10/26 Package: owl-startup Added VLAN support (patch by Piotr Meyer).
2011/10/24 Package: pam SECURITY FIX Severity: none to high, local, active
Applied upstream fixes for two vulnerabilities in pam_env. This module
is not in use on default installs of Owl, and it never was, hence there
was no impact for default installs.
References:
2011/10/24 Packages: gcc, gmp, libmpc, mpfr Updated GCC to 4.6.1. Packaged GMP, MPC, and MPFR - arbitrary precision arithmetic libraries, which are required by the new GCC version.
2011/10/15 Package: tzdata Updated to 2011l. Reduced installed package size via use of hardlinks.
2011/10/15 Package: hardlink New package: a program to consolidate duplicate files via hardlinks.
2011/10/10 Package: rpm SECURITY FIX Severity: high, indirect, passive
Applied a fix for crash and potential arbitrary code execution when
processing a malformed/malicious package file. Although an RPM package
can, by design, execute arbitrary code when installed or even during
installation, this issue would potentially allow a specially-crafted RPM
package to execute arbitrary code when the package metadata is merely
queried, including for digital signature verification. Note that for
Owl RPM packages we do not rely on RPM's support for signatures;
instead, we sign *.mtree files. Please continue to verify detached
GnuPG signatures that we provide for such files with gpg(1), and then
verify RPM package files against the message digests found in *.mtree
files with mtree(8) (both of these tools are part of Owl). This kind of
verification was unaffected by this RPM issue. Please note that use of
RPM on untrusted package files, even if just to verify a signature,
remains risky despite of this recent fix: RPM package format and
processing are complicated, so further issues of this kind are likely.
References:
2011/10/10 Package: SysVinit Applied a patch to set the shell name to /bin/bash, not /bin/sh, such that colored ls output is enabled on our LiveCD.
2011/10/09 Packages: kernel, vzctl SECURITY FIX Severity: low, local, active
Updated the kernel to 2.6.18-274.3.1.el5.028stab094.3 (OpenVZ's latest
stable from their RHEL 5 based branch, now rebased on RHEL 5.7's).
Restricted permissions on /proc/slabinfo as a security hardening
measure. Moved some OpenVZ features to modules like it is done in
OpenVZ's official kernel builds. Changed CONFIG_UDF_FS=y to =m.
Changed CONFIG_BLK_DEV_CRYPTOLOOP and most CONFIG_CRYPTO_* from =y to
=m. On x86_64, changed CONFIG_PCNET32 and CONFIG_FORCEDETH (these are
some of the 100 Mbps NIC drivers) from =y to =m. Of the 100 Mbps NIC
drivers, we're leaving only those for Intel, Realtek, and
NE2000-compatible PCI NICs built into the kernel on x86_64 now. Set
CONFIG_SCSI_AIC94XX=y and CONFIG_BLK_CPQ_CISS_DA=y (the latter was
already =y on i686, now it is =y on x86_64 as well). Although we
reference two Red Hat security advisories below, none of the worse than
local DoS issues listed in those advisories affect our previous kernel
builds, either because we do not build the affected components, or in
case of CVE-2011-2495 because we already had the permissions on
/proc/PID/io restricted before Owl 3.0 release.
References:
2011/10/09 Packages: tzdata, glibc; Owl/build/installorder.conf Moved timezone data files from glibc to new package tzdata, updated it to version 2011k.
2011/09/07 Owl/build/{install*.sh,installorder.conf} Support for optional package tags has been added to installorder.conf and made use of in install*.sh scripts. Currently supported are: "D:" - CD only; "d:" - exclude from CD; "E:" - exclude from CD and OpenVZ container templates; "H:" - host only (exclude from OpenVZ container templates).
2011/09/07 Package: owl-etc Added /etc/owl-release (with "Owl-current post-3.0" in it).
2011/09/07 Package: owl-dev Create /dev/sd* devices for 16 disks, not just 8 like we did before.
2011/07/27 Package: kernel SECURITY FIX Severity: none to high, local, active
Updated to 2.6.18-238.19.1.el5.028stab092.2. Enabled CONFIG_BONDING=m
in both i686 and x86_64 kernels, enabled CONFIG_BLK_CPQ_CISS_DA=m in the
x86_64 kernel (i686 already had it at "=y"). Applied a patch adding
limited support for LSISAS8208ELP (PCI device id 0x0059), which provides
access to individual hard drives. Moved the RLIMIT_NPROC check from
set_user() to execve(2) and adjusted set_user() so that it can't fail.
These changes were desirable to address missing setuid(2) return value
check vulnerabilities in user-space programs.
References:
2011/07/25 Package: rpm SECURITY FIX Severity: none to high, local, passive
Added a patch to remove unsafe file permissions (chmod'ing files to 0) on
package removal or upgrade to prevent continued access to such files via
hard-links possibly created by a user.
References:
2011/06/21 - 2011/07/17 Packages: glibc, pam, shadow-utils, tcb SECURITY FIX Severity: high, remote, active
crypt_blowfish has been updated to version 1.1 (and then to 1.2), which
fixes the 8-bit character handling bug and adds 8-bit test vectors and a
quick self-test on every password hash computation. The impact of this
bug was that most (but not all) passwords containing non-ASCII
characters with the 8th bit set were hashed incorrectly, resulting in
password hashes incompatible with those of OpenBSD's original
implementation of bcrypt. What's worse, in some cases (but not in all)
one, two, or three characters immediately preceding the 8-bit characters
were ignored by the password hash computation. Thus, many passwords
containing characters with the 8th bit set were significantly easier to
crack than it was previously expected. This primarily applies to
offline attacks against the password hashes (if the hashes are leaked or
stolen), but in rare extreme cases it might also apply to remote
password guessing attacks. In practice, passwords with non-ASCII
characters are relatively uncommon and are typically more complicated
than average, so they're unlikely to be an attractive target for
attacks, despite of the weakness that this bug exposes them to. Yet the
risk is there. With this glibc update, existing users' passwords
containing characters with the 8th bit set will mostly stop working,
because the hashes will be computed correctly and not match the
incorrectly computed hashes recorded in the system. In order to allow
users to log in after the upgrade even if they have a potentially
affected password, the newly introduced backwards compatibility hash
encoding prefix of "$2x$" may be used. Such password hashes should only
be used during a transition period; when passwords are changed and
hashed using the correct algorithm, another newly introduced "$2y$"
prefix is used. After installation of this glibc update, login services
such as sshd(8) should be restarted ("service sshd restart" and so on)
in order for users' newly changed passwords (with the "$2y$" prefix on
the hash encodings) to be recognized.
References:
2011/06/22 Package: john
In an effort sponsored by Rapid7, the bitslice DES S-box expressions
have been replaced with those generated by Roman Rusakov specifically
for John the Ripper. The corresponding assembly code for x86 with MMX,
SSE2, and for x86-64 with SSE2 has been re-generated. Support for
bcrypt hashes of passwords containing characters with the 8th bit set
has been corrected. (The old buggy behavior may be enabled per-hash,
using the "$2x$" prefix.) The external mode virtual machine's
performance has been improved. This update of John the Ripper has also
been released separately from Owl as version 1.7.8.
References:
2011/06/09 Package: lilo Updated to 23.2.
2011/05/03 Package: kernel SECURITY FIX Severity: none to low, local, active
Updated to 2.6.18-238.9.1.el5.028stab089.1. This fixes obscure security
issues: kernel panic by unprivileged user via NFSv4 (CVE-2011-1090) and
NULL pointer dereference in GRO code (CVE-2011-1478). It fixes
non-security issues with page tables accounting, AMD Bulldozer boot
process, OOM killer, and CPU stats bugs. It also introduces numerous
features.
References:
2011/05/03 Package: rpm
Fixed a regression in %patch introduced in the previous release. Thanks
to Chris Bopp for reporting the bug.
Reference:
2011/05/03 Package: iproute2 Updated to 2.6.38.
2011/05/03 Package: iputils Updated to s20101006.
2011/04/27 Package: john
Made numerous enhancements to John the Ripper, resulting in its 1.7.7
release, which is also part of Owl (as usual).
Reference:
2011/04/02 Package: kernel
Updated to 2.6.18-238.5.1.el5.028stab085.3, which is now marked as
"RHEL5 stable". This fixes a kernel Oops caused by nfsd. Also fixed
an Owl-specific x86_64 gettimeofday(2) VDSO issue, which manifested
itself in some 64-bit programs inside containers with some Linux
distributions (not Owl) crashing with SIGSEGV. The issue was new with
-238 kernels (thus, it was not present in Owl 3.0, nor in 3.0-stable).
References:
2011/03/21 Package: kernel SECURITY FIX Severity: none to medium, local, active
Backported fixes for information leaks in Netfilter modules: arp_tables
(CVE-2011-1170), ip_tables (CVE-2011-1171), ip6_tables (CVE-2011-1172),
and ipt_CLUSTERIP. One must have CAP_NET_ADMIN to exploit these issues
(e.g. in-container root may trigger the leak). The default Owl
installation is vulnerable to the infoleak in ip_tables only as we don't
ship other Netfilter modules nor have IPv6 enabled.
References:
2011/03/17 Package: nmap Updated to 5.51.
2011/03/15 Package: strace Updated to 4.6.
2011/03/14 Package: iptables Changed the default for IPTABLES_STATUS_ARGS to "-nv". Most importantly, this disables the (risky and slow) reverse DNS lookups with "service iptables status".
2011/03/12 Package: kernel SECURITY FIX Severity: low, local/remote, active
Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch
(238.5.1.el5.028stab085.2) fixing a rare kernel panic with sysfs
virtualization, a potential livelock in dirty pages balancing, and a bug
in CFQ. The new RHEL5 kernel revision that this OpenVZ kernel is based
on fixes a flaw in the garbage collector for AF_UNIX sockets
(CVE-2010-4249, local DoS) and a flaw in handling of received packets
exceeding the buffer limit (CVE-2010-4251, remote DoS). (It also
includes a fix for CVE-2010-4655, but it was already included in our
2011/01/28 update.) Fixed an Owl-current specific bug in checksum
calculation of fragmented ICMP echo request datagrams (reported by Piotr
Meyer). Disabled the eepro100 driver in favor of e100.
References:
2011/03/02 Package: vsftpd SECURITY FIX Severity: none to low, remote, active
Updated to 2.3.4. This release corrects a DoS vulnerability discovered by
Maksymilian Arciemowicz where an attacker permitted to login to an FTP server
would be able to cause the vsftpd child process(es) spawned for their
session(s) to consume excessive amounts of CPU time. If the attack is carried
out on a sufficient number of FTP sessions (possibly from multiple source IP
addresses to exceed a possible per-source limit), the FTP service would become
unavailable and other services of the system would be greatly impacted.
References:
2011/02/24 Packages: openssl, openssh Updated OpenSSL to 1.0.0d.
2011/02/18 Package: patchutils Updated to 0.3.2.
2011/02/10 Package: kernel
Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch
(238.1.1.el5.028stab084.3), which includes updated fix for the x86_64
VDSO bug (the fix in 028stab084.1 was incomplete) and fix for optimized
kmem accounting bug. Enabled Ethernet bridge support, PPP_MPPE, and ULOG
netfilter target. For more info, see the changelog for the kernel
package.
References:
2011/02/09 Package: patch SECURITY FIX Severity: high, indirect, passive
Backported a fix for CVE-2010-4651. The patch utility allowed ".." in
pathnames, and it also allowed absolute pathnames, either of which could
allow an attacker to create or modify arbitrary files outside of the
intended directory tree using a specially-crafted patch file. Our
partial fix of 2011/02/02 did not address the absolute pathname case.
References:
2011/02/05 Packages: usb_modeswitch, usb_modeswitch-data New packages: usb_modeswitch is a mode switching tool for controlling "flip flop" (multiple device) USB gear. usb_modeswitch-data contains the data files for usb_modeswitch.
2011/02/05 Package: libusb-compat New package: libusb-compat is a compatibility layer allowing applications written for libusb-0.1 to work with libusb-1.0. It is needed for usb_modeswitch.
2011/02/05 Package: kernel
Updated to upstream's "fixed fix for paging accounting". The incomplete
fix introduced with our 2011/02/04 update could have caused trouble with
32-bit x86 kernels.
Reference:
2011/02/05 Package: shadow-utils Added USERNAME_RELAXED and GROUPNAME_RELAXED options to /etc/login.defs, which, if changed to "yes", will allow capital letters to be used in new usernames and/or group names, respectively.
2011/02/04 Package: kernel
Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch
(238.1.1.el5.028stab084.1), which includes updated atl1 driver (Attansic
L1 Gigabit Ethernet). Enabled VDSO on x86_64 (the actual bug was
believed to be fixed in 028stab084.1). Applied upstream's initial "fix
for non-4levels page tables acct" (the bug was introduced in 084.1, so
we did not have it before).
References:
2011/02/02 Package: patch Backported a partial fix for CVE-2010-4651. Since the fix turned out to be incomplete, this change is not actually fixing CVE-2010-4651 yet.
2011/01/31 - 2011/02/01 Packages: kernel, iputils, owl-etc, owl-startup
Added support for non-raw ICMP sockets to the kernel and made use of
said support in ping(1).
References:
2011/01/30 Package: vconfig New package: vconfig is a user mode program to add and remove 802.1q VLAN virtual devices from Ethernet devices.
2011/01/29 Package: kernel
Dealt with two known critical x86_64 specific bugs introduced in
2.6.18-238.1.1.el5.028stab083.1, applying a fix for one of them (bootup
on systems with more than 8 logical CPUs) and working around the other
(VDSO, which is now temporarily disabled on x86_64, to be re-enabled
with the next kernel update).
Reference:
2011/01/29 Package: nmap Updated to 5.50.
2011/01/28 Package: usbutils New package: usbutils contains the lsusb utility for inspecting the devices connected to the USB bus.
2011/01/28 Package: libusb1 New package: libusb is a library providing access to USB devices.
2011/01/28 Package: kernel SECURITY FIX Severity: none to medium, local, active
Updated to OpenVZ's 2.6.18-238.1.1.el5.028stab083.1. Fixed a potential
information leak in net/core/ethtool.c: ethtool_get_regs() - this was
the portion of CVE-2010-4655 relevant to RHEL5 kernels. According to
our analysis, this issue did not affect installs with default OpenVZ
container settings, but it could affect systems where a network device
was passed into an OpenVZ container by an administrator. Made numerous
kernel configuration changes (enabled extra drivers, moved some to
modules), documented the changes (and the rationale behind them) in the
change log for the kernel package. (The important and relevant ones of
the security fixes described in the Red Hat security advisories
referenced below were already included in our previous kernel revision
(in Owl 3.0) with our own backports from a "testing" Red Hat kernel.)
References:
2011/01/27 Package: bridge-utils New package: bridge-utils is a tool for configuring the Linux Ethernet bridge.
2011/01/27 Package: pv New package: PV ("Pipe Viewer") is a tool for monitoring the progress of data through a pipeline.
2011/01/27 Package: ethtool New package: ethtool is an utility for controlling network drivers and hardware, particularly for wired Ethernet devices.
2011/01/25 Package: e2fsprogs Updated to 1.41.14.
2011/01/24 Package: owl-startup Added "-s 131072" to the dmesg invocation in rc.sysinit. Without this change, /var/run/dmesg.boot was often incomplete.
2011/01/24 Package: lilo Updated to 23.1.
2011/01/24 Package: vim Moved a few syntax highlighting related files from the vim-syntax to the vim-enhanced subpackage to correct a packaging error where some files in vim-enhanced were dependent upon files from vim-syntax, which is not installed by default. $Owl: Owl/doc/CHANGES-3.1,v 1.132 2018/05/23 19:23:53 solar Exp $ |