Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 4 May 2013 13:11:10 +0200
From: Zenny <>
Subject: Re: Owl-current and 3.0-stable 2013/04/08 snapshot

It is nice to learn about the update, but what makes me wonder is the
upstream for RHEL4 is alreade EoL (end of life) about a year ago (2012
Feb as far as I remember).

It would be nice if Owl get upgraded to be compatible with the
packages for RHEL6/CentOS6 which has an end of life for 10 years? If
not at least, RHEL5/CentOS5 which alos has EoL for a decade.

Actually I encountered a lot of backward  incompatibility when I try
to use some applications.


On 4/11/13, Solar Designer <> wrote:
> Hi,
> A few days ago, we've released new snapshots of Owl-current and Owl
> 3.0-stable, as usual including ISO images, OpenVZ container templates,
> binary packages for i686 and x86_64, and full sources:
> The Linux kernel has been rebased on the latest from OpenVZ's
> RHEL5-based branch (RHEL 5.9-based currently), thereby fixing a number
> of vulnerabilities including the PTRACE_SETREGS vs. process death race
> condition (CVE-2013-0871), which could allow for a local root compromise
> and OpenVZ container escape.  (However, the risk probability might have
> been low due to the race being difficult to win.)
> GnuPG has been updated to 1.4.13, which fixes a memory corruption bug
> (CVE-2012-6085).  The bug allowed an attacker to crash gpg(1) and
> corrupt the public keyring database file.  Arbitrary code execution was
> not possible because the attacker cannot control the corrupted data.
> The corrupted data is stored in the keyring file, so the DoS effect is
> persistent, but the keyring can be manually restored by recovering from
> the pubring.gpg~ backup file (which is created by gpg(1) itself).
> In Owl 3.0-stable, both of the above changes have been merged (although
> the kernel has fewer features enabled than Owl-current's), and
> additionally the earlier xinetd security update from Owl-current and
> some glibc bugfixes have been merged.  Owl 3.0-stable's kernel is now
> compressed with Zopfli (pigz -11) instead of gzip -9.
> More detail is available in the change logs:
> There's one known regression in Owl-current as compared to 3.0-stable:
> the strace program fails to work against 32-bit x86 program binaries.
> Indeed, we're going to correct this.
> This Owl-current update is a lot more conservative than what we've been
> planning to have by this date.  Frankly, progress has been slow.  We did
> prepare an experimental update of Owl to RHEL6'ish kernels, and it was
> in fact committed, but in light of severe security issues discovered in
> the Linux kernel we chose to temporarily revert the major update and to
> provide the security fixes on top of a more stable system first.
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.