Follow @Openwall on Twitter for new release announcements and other news
Домашняя страница Owl
Другие языки
Процессорные архитектуры
Система сборки
Скачать (HTTP, FTP, rsync, anoncvs)
Изменения в current
Изменения в 3.1-stable
Изменения до 3.1
Изменения в 3.0-stable
Изменения до 3.0
Изменения в 2.0-stable
Изменения до 2.0
Изменения в 1.1-stable
Изменения до 1.1
Изменения до 1.0
Изменения в 0.1-stable
Графика для ссылок
Слайды презентации
VPS-хостинг с Owl
Что пишут об Owl
This file lists all changes made between Owl 3.0 and its corresponding stable branch. Please note that the release itself remains fixed; it's only the stable branch which has these changes.

The dates shown in braces indicate when an equivalent change went into Owl-current, where applicable.

Security fixes have a "Severity" specified for the issue(s) being fixed. The three comma-separated metrics given after "Severity:" are: risk impact (low, medium, or high), attack vector (local, remote, or indirect), and whether the attack may be carried out at will (active) or not (passive). Please note that the specified risk impact is just that, it is not the overall severity, so other metrics are not factored into it. For example, a "high" impact "local, passive" issue is generally of lower overall severity than a "high" impact "remote, active" one - this is left up to our users to consider given their specific circumstances.

Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be persistent DoS (where the DoS effect does not go away with a (sub)system restart), data loss, bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack).

The metrics specified are generally those for a worst case scenario, however in certain cases ranges such as "none to low" or/and "local to remote" may be specified, referring to the defaults vs. a worst case yet "legitimate" custom configuration. In some complicated cases, multiple issues or attacks may be dealt with at once. When those differ in their severity metrics, we use slashes to denote the possible combinations. For example, "low/none to high, remote/local" means that we've dealt with issue(s) or attack(s) that are "low, remote" and those that are "none to high, local". In those tricky cases, we generally try to clarify the specific issue(s) and their severities in the description.

Changes made between Owl 3.0 and Owl 3.0-stable.

(2013/03/19 - 2013/04/07)
2013/04/08	Package: kernel
SECURITY FIX	Severity: high, local/indirect, active/passive

Updated to 2.6.18-348.3.1.el5.028stab106.2. The corresponding RHEL5 kernel updates fix a number of vulnerabilities, CVE IDs for the relevant ones of which are referenced below. Most importantly, this fixes a PTRACE_SETREGS vs. process death race condition (CVE-2013-0871), which could allow a non-privileged local user to execute arbitrary code in the kernel and thus escalate their privileges to root, escape from an OpenVZ container, etc. (However, the risk probability might have been low due to the race being difficult to win.) References:

2013/04/07	Package: kernel

Use "pigz -11" (Zopfli) to compress the kernel. On x86_64 changed CONFIG_ATL1 from =m back to =y.

2013/02/23	Package: glibc

Backported a fix for a TLS handling bug that manifested itself as an assertion failure on startup of some third-party program binaries, as reproduced with Mozilla's build of Firefox 17.0.1:

2013/02/23	Package: xinetd
SECURITY FIX	Severity: none to medium, remote, active

Updated to 2.3.15, which corrects an access control bypass vulnerability in the normally disabled tcpmux service. References:

2013/02/23	Package: glibc

Corrected the processing of '\x80' characters in extended DES-based crypt(3) hashes. A related issue affecting traditional DES-based crypt(3) hashes is known as CVE-2012-2143 in other projects using the same FreeSec code, but luckily in Owl we've been using this code only for the extended hashes (continuing to use upstream glibc's UFC-crypt for traditional ones), and these were only affected in terms of compatibility (with BSD/OS and certain other implementations), but not security. Hence, this is not a security fix.

2013/02/23	Package: gnupg
SECURITY FIX	Severity: medium, indirect, passive

Updated to 1.4.13. This version fixes a memory corruption bug (CVE-2012-6085). The bug allowed an attacker to crash gpg(1) and corrupt the public keyring database file. Arbitrary code execution was not possible because the attacker cannot control the corrupted data. The corrupted data is stored in the keyring file, so the DoS effect is persistent, but the keyring can be manually restored by recovering from the pubring.gpg~ backup file (which is created by gpg(1) itself). References:

(2012/02/25 - 2013/02/22)
2013/02/22	Package: kernel
SECURITY FIX	Severity: low/low to high, remote/local, active

Updated to 2.6.18-308.20.1.el5.028stab104.3. Enabled CONFIG_NFSD=m (NFS server support) and CONFIG_EFI_PARTITION=y (GUID Partition Table (GPT) support), on x86_64 changed CONFIG_ATL1 from =y to =m (requiring that the Attansic L1 Gigabit Ethernet driver be loaded manually if needed) because of the kernel size constraint that we have in Owl 3.0-stable. Introduced the previously missed RLIMIT_NPROC check into fs/compat.c: compat_do_execve() (used by 32-bit program binaries on 64-bit kernel). Introduced protection against unintended self-read by a SUID/SGID program of /proc/<pid>/mem and /proc/<pid>/*maps files, based on approaches taken in grsecurity patches. The corresponding RHEL5 kernel updates fix an IGMP remote DoS over LAN (CVE-2012-0207), local DoS flaws in the epoll subsystem (CVE-2011-1083, CVE-2012-3375), ext4 filesystem local DoS flaws (CVE-2011-3638, CVE-2011-4086, CVE-2012-2100), and a flaw in handling of robust list pointers of user-space held futexes across execve(2) calls (CVE-2012-0028), which could be used for privilege escalation via a SUID/SGID program that is multi-threaded or/and has a memory-mapped device, file, or shared memory segment (Owl does not include such SUID/SGID programs). Other security flaws reported as fixed in the release notes referenced below do not affect Owl's builds of the kernel. References:

(2011/08/23 - 2012/02/09)
2012/02/09	Package: john

John the Ripper has been enhanced in numerous ways, bringing it up to version Some of the enhancements require a newer version of GCC than what we have in Owl 3.0-stable, hence they have been disabled for the Owl 3.0-stable build (but are enabled in Owl-current). Reference:

2012/01/25	Package: kernel
SECURITY FIX	Severity: low to high, local, active

Updated to 2.6.18-274.17.1.el5.028stab097.1. Of the security issues mentioned in the Red Hat advisory referenced below, 5 are relevant to Owl's build of the kernel. Their relevance to and impact on specific Owl installs varies. Specifically, access to some /proc/<pid>/* special files was not revoked on invocation of a SUID/SGID program, which allowed for an ASLR bypass (easier exploitation of certain kinds of other security flaws if present) as well as for an additional and unintended way to interact with the program (e.g. causing it to fail with a file lock held). Since Owl does not have any SUID binaries by default (only having some SGIDs), the impact of this flaw on default installs of Owl was greatly reduced. The remaining 4 flaws fixed with this update are either reliably known or currently understood to be limited to local denial of service (DoS), one of them requires that a specially-crafted corrupted ext3 or ext4 filesystem be mounted, and two are in the NFS client and thus require an NFS mount to be present and accessible to a local attacker. Please refer to the CVE IDs and other references below for more detail. References:

2012/01/25	Package: kernel
SECURITY FIX	Severity: medium, local, passive

Updated to 2.6.18-274.12.1.el5.028stab096.1, enabled build of the VIA Rhine NIC driver (as a module). Although the corresponding RHEL update fixed multiple vulnerabilities, only the taskstats io infoleak (CVE-2011-2494) is relevant to Owl kernel builds. References:

2012/01/25	Package: kernel
SECURITY FIX	Severity: low to medium, local/remote, active

Updated to -274.7.1.el5.028stab095.1, which contains fixes for multiple local and remote DoS vulnerabilities, including via triggering an ext4 filesystem implementation bug with writes into the last block of a file in certain special circumstances, mremap(2) syscall, receiving of a specially crafted packet when GRO is enabled, receiving of a specially crafted packet on a bridge device, and via clock_gettime(2) syscall. This kernel revision also improves the randomness of IPv4 sequence numbers by moving from a 24-bit random component generated using MD4 plus a timer-based component to the full 32-bit numbers generated using MD5. Owl is not affected by the rest of vulnerabilities reported in the referenced Red Hat advisory as we don't build the corresponding components. Also included with this update is an OpenVZ fix of "loosing socket permissions in /dev with udev+tmpfs during CT restore (live migration)", which may be relevant to certain non-Owl OpenVZ containers being live-migrated on Owl host systems. Finally, we've changed the default for CONFIG_PCNET32 from =m to =y for ease of use under VMware, which emulates NIC of this type by default. References:

2012/01/25	Package: hardlink

Fixed a bug in a code path triggered on error.

2012/01/25	Package: owl-startup

Added VLAN support (patch by Piotr Meyer).

2011/10/26	Package: tzdata

Updated to 2011m.

2011/10/24	Package: pam
SECURITY FIX	Severity: none to high, local, active

Applied upstream fixes for two vulnerabilities in pam_env. This module is not in use on default installs of Owl, and it never was, hence there was no impact for default installs. References:

(2011/10/09 - 2011/10/15)
2011/10/24	Packages: tzdata, glibc; Owl/build/installorder.conf

Moved timezone data files from glibc to new package tzdata, updated it to version 2011l.

2011/10/24	Package: hardlink

New package: a program to consolidate duplicate files via hardlinks.

2011/10/24	Package: rpm
SECURITY FIX	Severity: high, indirect, passive

Applied a fix for crash and potential arbitrary code execution when processing a malformed/malicious package file. Although an RPM package can, by design, execute arbitrary code when installed or even during installation, this issue would potentially allow a specially-crafted RPM package to execute arbitrary code when the package metadata is merely queried, including for digital signature verification. Note that for Owl RPM packages we do not rely on RPM's support for signatures; instead, we sign *.mtree files. Please continue to verify detached GnuPG signatures that we provide for such files with gpg(1), and then verify RPM package files against the message digests found in *.mtree files with mtree(8) (both of these tools are part of Owl). This kind of verification was unaffected by this RPM issue. Please note that use of RPM on untrusted package files, even if just to verify a signature, remains risky despite of this recent fix: RPM package format and processing are complicated, so further issues of this kind are likely. References:

2011/10/24	Package: SysVinit

Applied a patch to set the shell name to /bin/bash, not /bin/sh, such that colored ls output is enabled on our LiveCD.

2011/10/24	Packages: kernel, vzctl
SECURITY FIX	Severity: low, local, active

Updated the kernel to 2.6.18-274.3.1.el5.028stab094.3 (OpenVZ's latest stable from their RHEL 5 based branch, now rebased on RHEL 5.7's). Restricted permissions on /proc/slabinfo as a security hardening measure. Moved some OpenVZ features to modules like it is done in OpenVZ's official kernel builds. Changed CONFIG_UDF_FS=y to =m. Changed CONFIG_BLK_DEV_CRYPTOLOOP and most CONFIG_CRYPTO_* from =y to =m. On x86_64, changed CONFIG_PCNET32 and CONFIG_FORCEDETH (these are some of the 100 Mbps NIC drivers) from =y to =m. Of the 100 Mbps NIC drivers, we're leaving only those for Intel, Realtek, and NE2000-compatible PCI NICs built into the kernel on x86_64 now. Set CONFIG_SCSI_AIC94XX=y and CONFIG_BLK_CPQ_CISS_DA=y (the latter was already =y on i686, now it is =y on x86_64 as well). Although we reference two Red Hat security advisories below, none of the worse than local DoS issues listed in those advisories affect our previous kernel builds, either because we do not build the affected components, or in case of CVE-2011-2495 because we already had the permissions on /proc/PID/io restricted before Owl 3.0 release. References:

2011/09/09	Owl/build/{install*.sh,installorder.conf}

Support for optional package tags has been added to installorder.conf and made use of in install*.sh scripts. Currently supported are: "D:" - CD only; "d:" - exclude from CD; "E:" - exclude from CD and OpenVZ container templates; "H:" - host only (exclude from OpenVZ container templates).

2011/09/09	Package: owl-etc

Added /etc/owl-release (with "Owl 3.0-stable" in it).

2011/09/09	Package: owl-dev

Create /dev/sd* devices for 16 disks, not just 8 like we did before.

2011/09/09	Package: kernel
SECURITY FIX	Severity: none to high, local, active

Updated to 2.6.18-238.19.1.el5.028stab092.2. Enabled CONFIG_BONDING=m in both i686 and x86_64 kernels, enabled CONFIG_BLK_CPQ_CISS_DA=m in the x86_64 kernel (i686 already had it at "=y"). Applied a patch adding limited support for LSISAS8208ELP (PCI device id 0x0059), which provides access to individual hard drives. Moved the RLIMIT_NPROC check from set_user() to execve(2) and adjusted set_user() so that it can't fail. These changes were desirable to address missing setuid(2) return value check vulnerabilities in user-space programs. References:

(2011/05/03 - 2011/07/25)
2011/09/09	Package: rpm
SECURITY FIX	Severity: none to high, local, passive

Added a patch to remove unsafe file permissions (chmod'ing files to 0) on package removal or upgrade to prevent continued access to such files via hard-links possibly created by a user. With this same update, we've also fixed a non-security regression in %patch. References:

(2011/06/21 - 2011/07/17)
2011/09/09	Packages: glibc, pam, shadow-utils, tcb
SECURITY FIX	Severity: high, remote, active

crypt_blowfish has been updated to version 1.1 (and then to 1.2), which fixes the 8-bit character handling bug and adds 8-bit test vectors and a quick self-test on every password hash computation. The impact of this bug was that most (but not all) passwords containing non-ASCII characters with the 8th bit set were hashed incorrectly, resulting in password hashes incompatible with those of OpenBSD's original implementation of bcrypt. What's worse, in some cases (but not in all) one, two, or three characters immediately preceding the 8-bit characters were ignored by the password hash computation. Thus, many passwords containing characters with the 8th bit set were significantly easier to crack than it was previously expected. This primarily applies to offline attacks against the password hashes (if the hashes are leaked or stolen), but in rare extreme cases it might also apply to remote password guessing attacks. In practice, passwords with non-ASCII characters are relatively uncommon and are typically more complicated than average, so they're unlikely to be an attractive target for attacks, despite of the weakness that this bug exposes them to. Yet the risk is there. With this glibc update, existing users' passwords containing characters with the 8th bit set will mostly stop working, because the hashes will be computed correctly and not match the incorrectly computed hashes recorded in the system. In order to allow users to log in after the upgrade even if they have a potentially affected password, the newly introduced backwards compatibility hash encoding prefix of "$2x$" may be used. Such password hashes should only be used during a transition period; when passwords are changed and hashed using the correct algorithm, another newly introduced "$2y$" prefix is used. After installation of this glibc update, login services such as sshd(8) should be restarted ("service sshd restart" and so on) in order for users' newly changed passwords (with the "$2y$" prefix on the hash encodings) to be recognized. References:

(2011/04/27 - 2011/06/22)
2011/09/09	Package: john

Updated to 1.7.8. References:

(2011/01/24 - 2011/06/09)
2011/09/09	Package: lilo

Updated to 23.2.

2011/09/09	Package: iproute2

Updated to 2.6.38.

(2011/01/31 - 2011/05/03)
2011/09/09	Packages: iputils, owl-etc, owl-startup

Updated iputils to s20101006. Made use of our updated kernel's support for non-raw ICMP sockets in ping(1). References:

(2011/01/29 - 2011/03/17)
2011/09/09	Package: nmap

Updated to 5.51.

2011/09/09	Package: strace

Updated to 4.6.

2011/09/09	Package: iptables

Changed the default for IPTABLES_STATUS_ARGS to "-nv". Most importantly, this disables the (risky and slow) reverse DNS lookups with "service iptables status".

2011/09/09	Packages: usb_modeswitch, usb_modeswitch-data

New packages: usb_modeswitch is a mode switching tool for controlling "flip flop" (multiple device) USB gear. usb_modeswitch-data contains the data files for usb_modeswitch.

2011/09/09	Package: libusb-compat

New package: libusb-compat is a compatibility layer allowing applications written for libusb-0.1 to work with libusb-1.0. It is needed for usb_modeswitch.

2011/09/09	Package: shadow-utils

Added USERNAME_RELAXED and GROUPNAME_RELAXED options to /etc/login.defs, which, if changed to "yes", will allow capital letters to be used in new usernames and/or group names, respectively.

2011/09/09	Package: vconfig

New package: vconfig is a user mode program to add and remove 802.1q VLAN virtual devices from Ethernet devices.

2011/09/09	Package: usbutils

New package: usbutils contains the lsusb utility for inspecting the devices connected to the USB bus.

2011/09/09	Package: libusb1

New package: libusb is a library providing access to USB devices.

2011/09/09	Package: bridge-utils

New package: bridge-utils is a tool for configuring the Linux Ethernet bridge.

2011/09/09	Package: pv

New package: PV ("Pipe Viewer") is a tool for monitoring the progress of data through a pipeline.

2011/09/09	Package: ethtool

New package: ethtool is an utility for controlling network drivers and hardware, particularly for wired Ethernet devices.

2011/09/09	Package: e2fsprogs

Updated to 1.41.14.

2011/09/09	Package: owl-startup

Added "-s 131072" to the dmesg invocation in rc.sysinit. Without this change, /var/run/dmesg.boot was often incomplete.

(2011/01/28 - 2011/05/03)
2011/05/03	Package: kernel
SECURITY FIX	Severity: none to medium/low, local/remote, active

Updated to 2.6.18-238.9.1.el5.028stab089.1. This fixes obscure security issues: kernel panic by unprivileged user via NFSv4 (CVE-2011-1090), NULL pointer dereference in GRO code (CVE-2011-1478), a flaw in the garbage collector for AF_UNIX sockets (CVE-2010-4249, local DoS), a flaw in handling of received packets exceeding the buffer limit (CVE-2010-4251, remote DoS) and a potential information leak in net/core/ethtool.c: ethtool_get_regs() - this was the portion of CVE-2010-4655 relevant to RHEL5 kernels. According to our analysis, the latter issue did not affect installs with default OpenVZ container settings, but it could affect systems where a network device was passed into an OpenVZ container by an administrator. (The important and relevant ones of the security fixes described in the Red Hat security advisories referenced below were already included in our previous kernel revision (in Owl 3.0) with our own backports from a "testing" Red Hat kernel.) Updated atl1 driver (Attansic L1 Gigabit Ethernet). Disabled the eepro100 driver in favor of e100, enabled Ethernet bridge support, PPP_MPPE, and ULOG netfilter target. Made numerous kernel configuration changes (enabled extra drivers, moved some to modules), documented the changes (and the rationale behind them) in the change log for the kernel package. References:

2011/03/26	Package: kernel
SECURITY FIX	Severity: none to medium, local, active

Backported fixes for information leaks in Netfilter modules: arp_tables (CVE-2011-1170), ip_tables (CVE-2011-1171), ip6_tables (CVE-2011-1172), and ipt_CLUSTERIP. One must have CAP_NET_ADMIN to exploit these issues (e.g. in-container root may trigger the leak). The default Owl installation is vulnerable to the infoleak in ip_tables only as we don't ship other Netfilter modules nor have IPv6 enabled. References:

2011/03/12	Package: patchutils

Updated to 0.3.2.

2011/03/02	Package: vsftpd
SECURITY FIX	Severity: none to low, remote, active

Updated to 2.3.4. This release corrects a DoS vulnerability discovered by Maksymilian Arciemowicz where an attacker permitted to login to an FTP server would be able to cause the vsftpd child process(es) spawned for their session(s) to consume excessive amounts of CPU time. If the attack is carried out on a sufficient number of FTP sessions (possibly from multiple source IP addresses to exceed a possible per-source limit), the FTP service would become unavailable and other services of the system would be greatly impacted. References:

2011/03/01	Package: openssl
SECURITY FIX	Severity: none to medium, remote, active

Backported a fix for CVE-2010-4180. An old bug workaround in the OpenSSL SSL/TLS server code allows malicious clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections. Backported a fix for CVE-2009-0590. The function ASN1_STRING_print_ex() when used to print a BMPString or UniversalString would crash with an invalid memory access if the encoded length of the string was illegal. The impact of this flaw is limited to crash of the applications calling affected openssl function. There are currently no known applications printing untrusted certificates, where application crash would be considered a security issue. References:

2011/03/01	Package: patch
SECURITY FIX	Severity: high, indirect, passive

Backported a fix for CVE-2010-4651. The patch utility allowed ".." in pathnames, and it also allowed absolute pathnames, either of which could allow an attacker to create or modify arbitrary files outside of the intended directory tree using a specially-crafted patch file. References:

2011/03/01	Package: vim

Moved a few syntax highlighting related files from the vim-syntax to the vim-enhanced subpackage to correct a packaging error where some files in vim-enhanced were dependent upon files from vim-syntax, which is not installed by default.

$Owl: Owl/doc/CHANGES-3.0-stable,v 2018/05/23 20:01:28 solar Exp $