This file lists all changes made between Owl 1.1 and its corresponding
stable branch.  Please note that the release itself remains fixed; it's
only the stable branch which has these changes.


	Changes made between Owl 1.1 and Owl 1.1-stable.

2005/05/15	kernel
SECURITY FIX	Severity: high, local, active
Updated to Linux 2.4.30-ow3.  This version fixes the ELF core dump
vulnerability discovered by Paul Starzetz.
References:
http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1263

2005/03/28	Package: telnet
SECURITY FIX	Severity: high, remote, passive
Corrected the slc_add_reply() and env_opt_add() buffer overflows which
might have allowed a malicious Telnet server to execute arbitrary
machine code within the context of the telnet client process used to
connect to the server.
References:
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

2005/02/06	Package: cpio
SECURITY FIX	Severity: low, local, passive
Obey the current umask when creating output files; previously, the
files would be created with mode 666.  Thanks to Mike O'Connor for
bringing this up.
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1572

2005/01/20	kernel
SECURITY FIX	Severity: high, local, active
Updated to Linux 2.4.29-ow1.  Linux 2.4.29, and thus 2.4.29-ow1, adds
a number of security fixes, including to the x86/SMP page fault
handler and the uselib(2) race conditions, both discovered by Paul
Starzetz.  The potential of these bugs is a local root compromise.
The uselib(2) bug does not affect default builds of Linux kernels with
the Openwall patch applied since the vulnerable code is only compiled
in if one explicitly enables CONFIG_BINFMT_ELF_AOUT, an option
introduced by the patch.
References:
http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0001
http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1235

2004/11/23 -
2004/11/28	kernel; Package: net-tools
SECURITY FIX	Severity: low to high, local/remote, active/passive
Updated to Linux 2.4.28-ow1.  Linux 2.4.28, and thus 2.4.28-ow1, fixes
a number of security-related bugs, including the ELF loader
vulnerabilities discovered by Paul Starzetz (confirmed: ability for
users to read +s-r binaries; potential: local root), a race condition
with reads from Unix domain sockets (potential local root), smbfs
support vulnerabilities discovered by Stefan Esser (confirmed: remote
DoS by a malicious smbfs server; potential: remote root by a malicious
server).
References:
http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
http://marc.theaimsgroup.com/?l=bugtraq&m=110091183206580
http://security.e-matters.de/advisories/142004.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0949

2004/08/04 -
2004/08/15	kernel
SECURITY FIX	Severity: none to high, local, active
Updated to Linux 2.4.26-ow3 and further to 2.4.27-ow1.  This corrects
the access control check which previously wrongly allowed any local
user to change the group ownership of arbitrary NFS-exported/imported
files and adds a workaround for the file offset pointer races
discovered by Paul Starzetz.  The former is only exploitable when
files are NFS-exported from a server running a vulnerable version of
Linux 2.4.x, and the currently publicly known exploit for the latter
relies on code enabled with CONFIG_MTRR kernel build option which has
not been enabled in the default kernels on Owl CDs.  However, as the
potential impact of both issues is a local root compromise, an upgrade
of older Linux 2.4.x installs to 2.4.26-ow3+ is highly recommended.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0415
http://www.isec.pl/vulnerabilities/isec-0016-procleaks.txt

(2004/06/22)
2004/06/26	Package: dhcp
Added a bounds checking patch covering sprintf() calls with "%s"
format specifier and non-constant strings and forcing the use of
snprintf() and vsnprintf() in all places where that was previously
supported but not enabled.  Thanks to Gregory Duchemin for discovering
that some of these actually resulted in a vulnerability in versions of
the DHCP suite newer than the one we're using in Owl.

2004/06/19	kernel
SECURITY FIX	Severity: low to high, local, active
Updated to Linux 2.4.26-ow2.  This fixes multiple security-related
bugs in the Linux kernel (those discovered by Al Viro using "Sparse",
fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some
others) as well as two non-security bugs in the -ow patch itself.
Which of these bugs affect a particular build of the Linux kernel
depends on what drivers are compiled in (or loaded as modules).  For
the default kernels on Owl CDs, it's only the Intel PRO/1000 Gigabit
Ethernet driver (e1000) which has a vulnerability allowing for more
than a DoS attack fixed with this update.
References:
http://marc.theaimsgroup.com/?l=openwall-announce&m=108763826328168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0535

2004/06/09	Package: shadow-utils
SECURITY FIX	Severity: none to low, local, active
Properly check the return value from pam_chauthtok(3) in chfn(1) and
chsh(1).  Previously, if chfn and/or chsh commands would be enabled
for non-privileged users with control(8), it would have been possible
for a logged in user with an expired password to change their "Full
Name" and login shell without having to change the password.  Thanks
to Steve Grubb and Martin Schulze for discovering this problem.

2004/05/18 -
2004/06/09	Package: cvs
SECURITY FIX	Severity: none to high, remote, active
Added back-ports of fixes for multiple CVS server vulnerabilities,
some of which are known to be exploitable allowing for a malicious
client to execute arbitrary code within the CVS server.  Thanks to
Stefan Esser, Sebastian Krahmer, and Derek Robert Price for finding
and fixing these bugs.  Despite these fixes, it should not be assumed
that CVS server provides any security against a malicious client.  If
required, any restrictions on the actions CVS server is allowed to
perform should be imposed at the OS level.
References:
http://security.e-matters.de/advisories/072004.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396
http://security.e-matters.de/advisories/092004.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0418

2004/06/07	Package: openssh
SECURITY FIX	Severity: high, remote, passive
Fixed directory traversal vulnerability in scp which allowed malicious
SSH servers to overwrite arbitrary files on the client system.
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175

(2004/04/18)
2004/04/22	kernel
SECURITY FIX	Severity: high, local, active
Updated to Linux 2.4.26-ow1.  Linux 2.4.26 (and thus 2.4.26-ow1) fixes
an integer overflow vulnerability in processing of the MCAST_MSFILTER
socket option discovered by Paul Starzetz.  When properly exploited,
the bug would lead to a local root compromise.  Also included in this
kernel release is a fix for the ext3/XFS information leak discovered
by Solar Designer and a number of other relatively minor fixes.
References:
http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0133

(2004/04/14)
2004/04/14	Package: cvs
SECURITY FIX	Severity: high, remote, passive
Added a fix to the CVS client to ensure that pathnames provided by a
CVS server point to within the working directory.  Without this fix, a
malicious CVS server could cause the CVS client to attempt to create
files at arbitrary locations thus gaining control over the user
account.  This problem has been brought to the attention of CVS
developers and distribution vendors by Sebastian Krahmer of SuSE.
Additionally, CVS server has been further restricted to disallow the
use of relative pathnames to view files outside of the CVS repository.
However, despite this last fix, it should not be assumed that CVS
server provides any security against a malicious client being able to
access arbitrary files available under the privileges granted to the
CVS server at the OS level.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405

(2004/03/18)
2004/04/14	Package: openssl
SECURITY FIX	Severity: low, remote, passive to active
Updated to 0.9.6m.  This release of OpenSSL fixes a NULL pointer
dereference during SSL handshake.  If triggered, the bug would cause
the remote process or thread to crash.  Depending on the application
this could lead to a denial of service.  For the applications which
are a part of Owl, it's only individual invocations of network clients
which are affected and may be caused to crash by a malicious server.
References:
http://www.openssl.org/news/secadv_20040317.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079

(2004/02/08)
2004/04/14	Package: SimplePAMApps
In login(1) and su(1), generate ut_id's consistently with libutempter
and OpenSSH (patch from Dmitry V. Levin of ALT Linux).  This will make
"su -" replace existing utmp entries for the duration of the su session.

2004/04/14	Owl/doc/*, Owl/doc/*/*
Sync'ed with post-release documentation updates which are pertinent to
1.1-stable.

(2004/01/17)
2004/01/17	Package: procps
In top, handle ticks going backwards gracefully.  This may happen due
to kernel and hardware issues and previously resulted in top reporting
absurd idle processor time percentages under high load on SMP systems.

(2004/01/15 - 2004/01/17)
2004/01/17	Package: readline
Corrected a packaging error where the readline library usage examples
were incorrectly placed under /usr/doc/examples instead of under
readline's documentation directory.

(2004/01/10)
2004/01/15	Package: john
Corrected a segfault with --stdin introduced with John 1.6.34.2.

2004/01/15	Owl/doc/DOWNLOAD, Owl/doc/*/DOWNLOAD, Owl/doc/fr/CREDITS
Sync'ed with the minor post-release updates made in Owl-current.

$Id: CHANGES-1.1-stable,v 1.1.2.28 2005/05/15 04:38:28 solar Exp $