|
Message-ID: <20130411120747.GA917@openwall.com> Date: Thu, 11 Apr 2013 16:07:47 +0400 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com, owl-users@...ts.openwall.com Subject: [openwall-announce] Owl-current and 3.0-stable 2013/04/08 snapshot Hi, A few days ago, we've released new snapshots of Owl-current and Owl 3.0-stable, as usual including ISO images, OpenVZ container templates, binary packages for i686 and x86_64, and full sources: http://www.openwall.com/Owl/ The Linux kernel has been rebased on the latest from OpenVZ's RHEL5-based branch (RHEL 5.9-based currently), thereby fixing a number of vulnerabilities including the PTRACE_SETREGS vs. process death race condition (CVE-2013-0871), which could allow for a local root compromise and OpenVZ container escape. (However, the risk probability might have been low due to the race being difficult to win.) GnuPG has been updated to 1.4.13, which fixes a memory corruption bug (CVE-2012-6085). The bug allowed an attacker to crash gpg(1) and corrupt the public keyring database file. Arbitrary code execution was not possible because the attacker cannot control the corrupted data. The corrupted data is stored in the keyring file, so the DoS effect is persistent, but the keyring can be manually restored by recovering from the pubring.gpg~ backup file (which is created by gpg(1) itself). In Owl 3.0-stable, both of the above changes have been merged (although the kernel has fewer features enabled than Owl-current's), and additionally the earlier xinetd security update from Owl-current and some glibc bugfixes have been merged. Owl 3.0-stable's kernel is now compressed with Zopfli (pigz -11) instead of gzip -9. More detail is available in the change logs: http://www.openwall.com/Owl/CHANGES-current.shtml http://www.openwall.com/Owl/CHANGES-3.0-stable.shtml There's one known regression in Owl-current as compared to 3.0-stable: the strace program fails to work against 32-bit x86 program binaries. Indeed, we're going to correct this. This Owl-current update is a lot more conservative than what we've been planning to have by this date. Frankly, progress has been slow. We did prepare an experimental update of Owl to RHEL6'ish kernels, and it was in fact committed, but in light of severe security issues discovered in the Linux kernel we chose to temporarily revert the major update and to provide the security fixes on top of a more stable system first. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.