Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 May 2018 22:21:10 +0200
From: Solar Designer <>
Subject: Owl update


As some of you are aware, our Openwall GNU/*/Linux (Owl) project has
been on hold for a long while now, with its future unclear:

That said, we still happen to maintain it, fixing (only) the most
critical vulnerabilities.  As part of such maintenance, I've generated
and released new Owl-current and Owl 3.1-stable ISOs and OpenVZ
container templates earlier today, and these have already propagated to
some of the mirrors:

Changes since the previous set of ISOs and templates released in August
2016 include very recent security updates to the RHEL5/OpenVZ-based
Linux kernel and a similarly recent switch from procps to procps-ng plus
all 126 patches released by Qualys.  Also included are our earlier
security and other updates that were previously released only in the
form of source code and pre-built packages (not new ISOs & templates
until today).

I'd like to thank Vasily Averin of OpenVZ for his assistance with our
preparation of this Owl kernel update.  Vasily was kind enough to help
us with this even though OpenVZ's own RHEL5-based branch reached EOL in
February 2018.  Since this is not based on an official OpenVZ update and
the testing was ours rather than theirs, any bugs there might be in this
update are also ours rather than theirs.

Listed below are important Owl-current changes since the 2016 ISOs &
templates.  Owl 3.1-stable includes similar security fixes, but not the
non-security changes.  Please refer to the Owl 3.1-stable change log
linked off the Owl homepage above for its specifics.

2018/05/24	Package: lftp
Updated to 4.8.3.

2018/05/23	Packages: procps, procps-ng
SECURITY FIX	Severity: high, local, passive
Replaced procps with procps-ng 3.3.14 plus all Qualys patches fixing a number
of issues that Qualys found during their security audit, including some issues
that might have allowed successful attacks on a user (or root) invoking top(1)
or other procps programs.

2018/05/21	Package: kernel
SECURITY FIX	Severity: low to high, local, active
Updated to 2.6.18-431.el5.028stab123.1.  This is a belated (with Owl
being barely on life support at this point) addition of kernel page
table isolation (KPTI) on x86-64 (only) as a software fix for Meltdown
(CVE-2017-5754) - an issue that allowed userspace processes to read
kernel memory (except on AMD CPUs).  Also included is a fix for the "POP
SS" vulnerability (CVE-2018-8897), which allowed for a local DoS attack.
However, this update does not mitigate the set of CPU vulnerabilities
known as Spectre, although the exposure to them might be lower than it
is in newer kernels because of the lack of eBPF.

2017/10/25	Package: glibc
SECURITY FIX	Severity: none to high, remote, active
Backported upstream fix for the recently discovered glob heap buffer
overflow (CVE-2017-15670) and while at it also for integer overflows in
pvalloc, valloc, posix_memalign/memalign/aligned_alloc (CVE-2013-4332).

2017/10/19	Package: kernel
SECURITY FIX	Severity: none to high, local, active
Updated to 2.6.18-419.el5.028stab122.4.  This addresses the issue of
Position Independent Executables' (PIE) data potentially overlapping in
memory with their stack areas (CVE-2017-1000253).  (Un)fortunately, on
Owl we do not yet build our SUID/SGID binaries as PIE (which would be a
security enhancement if it were not for this issue), so this did not
affect Owl itself, but it could affect third-party SUID/SGID binaries
installed on Owl (including e.g. as part of third-party distros in
containers).  The many other security issues also addressed with this
upstream update, as compared to the much older upstream revision we
built upon previously, had already been fixed or worked around in prior
kernel updates for Owl.

2017/06/19	Package: kernel
SECURITY FIX	Severity: none to high, local, active
On SUID/SGID exec, limit the size of argv+envp to 512 KiB and the stack
size to 10 MiB, similarly to what grsecurity did in 2012.  This prevents
some of the stack/heap clash attacks described by Qualys, while some
others were already prevented for years by our glibc hardening changes.

2017/06/15	Package: db4
SECURITY FIX	Severity: medium to high, local, active
Don't open the DB_CONFIG file in the current directory.  This unexpected
property of db4 could have allowed for local DoS, information leaks, and
privilege escalation via programs using db4, including Postfix.

2017/06/08	Package: kernel
Backported upstream reimplementation of restricted hard links,
controllable via the fs.protected_hardlinks sysctl and enabled by
default, similar to what we had as part of CONFIG_HARDEN_LINK in -ow
patches and what grsecurity had as part of CONFIG_GRKERNSEC_LINK.  This
reinforces the group crontab vs. root privilege separation in our
package of ISC/Vixie Cron.

2017/04/02	Package: kernel
SECURITY FIX	Severity: high, local, active
Merged upstream fix to locking in net/ipv4/ping.c: ping_unhash(), where
the race condition could have been exploited by container root into e.g.
container escape.  Without a vulnerability in ping(1), the issue was not
triggerable by non-root users (neither host nor container).

2017/01/25	Package: kernel
SECURITY FIX	Severity: high, local, active
Merged in a fix of use-after-free in the recvmmsg() exit path
(CVE-2016-7117) from Red Hat's -417.  The vulnerability appears likely
to be exploitable locally.  Remote exploitation might be possible as
well, but would require specific (unlikely?) behavior of a service.

2016/12/10	Package: kernel
Merged in Red Hat's CVE-2016-5195 "Dirty COW" fix while also keeping the
mitigation introduced in Owl earlier.  In the kernel build for x86-64,
bumped up the maximum number of logical CPUs from 32 to 96, enabled
support for NUMA, huge pages, hugetlbfs, modules for I2C and many
sensors (similar to what's enabled in RHEL) and CPU microcode update.

2016/10/23	Package: kernel
SECURITY FIX	Severity: high, local, active
Added a mitigation for the "Dirty COW" Linux kernel privilege escalation
vulnerability (CVE-2016-5195).

2016/10/17 -
2016/10/21	Package: bind
SECURITY FIX	Severity: low, remote, active
Merged multiple DoS vulnerability fixes from Red Hat's package, most
notably for two easily triggerable assertion failures (CVE-2016-2776,


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.