This file lists the major changes made between Owl releases. While some of the changes listed here may also be made to a stable branch, the complete lists of stable branch changes are included with those branches and as errata for the corresponding Owl releases only. This is very far from an exhaustive list of changes. Small changes to individual packages won't be mentioned here unless they fix a security or a critical reliability problem. They are, however, mentioned in change logs for the packages themselves. Security fixes have a "Severity" specified for the issue(s) being fixed. The three comma-separated metrics given after "Severity:" are: risk impact (low, medium, or high), attack vector (local, remote, or indirect), and whether the attack may be carried out at will (active) or not (passive). Please note that the specified risk impact is just that, it is not the overall severity, so other metrics are not factored into it. For example, a "high" impact "local, passive" issue is generally of lower overall severity than a "high" impact "remote, active" one - this is left up to our users to consider given their specific circumstances. Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be persistent DoS (where the DoS effect does not go away with a (sub)system restart), data loss, bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack). The metrics specified are generally those for a worst case scenario, however in certain cases ranges such as "none to low" or/and "local to remote" may be specified, referring to the defaults vs. a worst case yet "legitimate" custom configuration. In some complicated cases, multiple issues or attacks may be dealt with at once. When those differ in their severity metrics, we use slashes to denote the possible combinations. For example, "low/none to high, remote/local" means that we've dealt with issue(s) or attack(s) that are "low, remote" and those that are "none to high, local". In those tricky cases, we generally try to clarify the specific issue(s) and their severities in the description. Changes made between Owl 3.0 and Owl 3.1. 2014/07/07 Package: glibc Added OpenBSD 5.5+ $2b$ prefix support to crypt_blowfish (same as $2y$). 2014/07/07 Package: gnupg SECURITY FIX Severity: medium, local/indirect, passive Updated to 1.4.18. Fixed since 1.4.13 are DoS via compressed data (CVE-2013-4402, CVE-2014-4617) and RSA side-channel vulnerabilities (CVE-2013-4242, CVE-2013-4576). 2014/07/07 Package: kernel SECURITY FIX Severity: none to high, local, active Updated to 2.6.18-371.9.1.el5.028stab114.2, which contains security fixes for the floppy disk driver in case a /dev/fd* device is accessible to a non-trusted user (normally not the case on Owl). Added a hardening measure against the ptrace SYSRET vulnerability (CVE-2014-4699), which could allow for DoS or privilege escalation in x86_64 kernel builds running on Intel CPUs, even though RHEL5 kernels are currently understood to be unaffected. References: https://openvz.org/Download/kernel/rhel5-testing/028stab114.2 https://rhn.redhat.com/errata/RHSA-2014-0740.html http://www.openwall.com/lists/oss-security/2014/07/08/16 http://www.openwall.com/lists/oss-security/2014/07/08/9 2014/06/09 Package: kernel SECURITY FIX Severity: high, local, active Updated to 2.6.18-371.8.1.el5.028stab113.1, which is based on RHEL 5.10, and contains numerous security fixes compared to the kernel revision we were using before. Disabled this new kernel revision's RDRAND support because it suffers from the security risks discussed after that code had been introduced into mainline kernels (in particular, get_random_bytes() could be less random under VMs). Enabled CPU frequency scaling, which is needed on some modern servers to enable Intel's Turbo Boost (enabling it in BIOS settings only is often not enough). To use it, load a module appropriate for your hardware (e.g., "modprobe acpi-cpufreq") and control the CPU frequency via sysfs (turbo is typically enabled by setting the frequency on all logical CPUs to be nominally 1 KHz higher than the CPU's highest non-turbo base frequency). References: https://openvz.org/Download/kernel/rhel5-testing/028stab113.1 https://rhn.redhat.com/errata/RHSA-2014-0433.html https://openvz.org/Download/kernel/rhel5/028stab112.3 https://rhn.redhat.com/errata/RHSA-2014-0285.html https://rhn.redhat.com/errata/RHSA-2014-0108.html https://openvz.org/Download/kernel/rhel5/028stab110.1 https://rhn.redhat.com/errata/RHSA-2013-1790.html https://rhn.redhat.com/errata/RHSA-2013-1348.html https://openvz.org/Download/kernel/rhel5/028stab108.1 https://rhn.redhat.com/errata/RHSA-2013-1166.html https://openvz.org/Download/kernel/rhel5/028stab107.2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224 https://openvz.org/Download/kernel/rhel5/028stab107.1 https://rhn.redhat.com/errata/RHSA-2013-0747.html 2014/06/08 Package: openssl SECURITY FIX Severity: medium, remote, passive Updated to 1.0.0m, which includes a fix for CCS Injection vulnerability (CVE-2014-0224) and more. References: http://www.openwall.com/lists/oss-security/2014/06/05/18 https://www.openssl.org/news/secadv_20140605.txt http://ccsinjection.lepidum.co.jp 2013/04/20 - 2013/07/08 Package: john Merged into the tree many changes, most of them sponsored by Rapid7 under their Magnificent7 program, which have ultimately resulted in John the Ripper 1.8.0 release. The code in Owl was then updated some further, up to version 1.8.0.2. Reference: http://www.openwall.com/lists/announce/2013/05/30/1 2013/06/05 Package: strace Updated to 4.8. 2013/04/24 Package: passwdqc Updated to 1.3.0. 2013/04/07 Package: kernel Updated to 2.6.18-348.3.1.el5.028stab106.2. The only change from our previous kernel revision is OpenVZ's minor bugfix in NFS client code. Reference: https://openvz.org/Download/kernel/rhel5/028stab106.2 2013/03/19 Package: kernel SECURITY FIX Severity: high, local/indirect, active/passive Updated to 2.6.18-348.3.1.el5.028stab106.1. The corresponding RHEL5 kernel updates fix a number of vulnerabilities, CVE IDs for the relevant ones of which are referenced below. Most importantly, this fixes a PTRACE_SETREGS vs. process death race condition (CVE-2013-0871), which could allow a non-privileged local user to execute arbitrary code in the kernel and thus escalate their privileges to root, escape from an OpenVZ container, etc. (However, the risk probability might have been low due to the race being difficult to win.) References: https://openvz.org/Download/kernel/rhel5-testing/028stab106.1 https://rhn.redhat.com/errata/RHSA-2013-0621.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871 http://www.openwall.com/lists/oss-security/2013/02/15/16 https://rhn.redhat.com/errata/RHSA-2013-0594.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3400 http://www.openwall.com/lists/oss-security/2012/07/03/1 https://rhn.redhat.com/errata/RHSA-2013-0168.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1568 http://www.openwall.com/lists/oss-security/2012/03/20/4 https://rhn.redhat.com/errata/RHBA-2013-0006.html https://rhn.redhat.com/errata/RHSA-2012-1540.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4508 http://www.openwall.com/lists/oss-security/2012/10/25/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552 http://www.openwall.com/lists/oss-security/2012/08/31/11 2013/02/23 Package: glibc Backported a fix for a TLS handling bug that manifested itself as an assertion failure on startup of some third-party program binaries, as reproduced with Mozilla's build of Firefox 17.0.1: http://www.openwall.com/lists/owl-dev/2013/02/23/2 2013/02/22 Package: gnupg SECURITY FIX Severity: medium, indirect, passive Updated to 1.4.13. This version fixes a memory corruption bug (CVE-2012-6085). The bug allowed an attacker to crash gpg(1) and corrupt the public keyring database file. Arbitrary code execution was not possible because the attacker cannot control the corrupted data. The corrupted data is stored in the keyring file, so the DoS effect is persistent, but the keyring can be manually restored by recovering from the pubring.gpg~ backup file (which is created by gpg(1) itself). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6085 https://bugzilla.redhat.com/show_bug.cgi?id=891142 http://www.openwall.com/lists/oss-security/2013/01/01/6 2013/02/22 Package: kernel SECURITY FIX Severity: none to low, local/indirect, active/passive Updated to 2.6.18-308.20.1.el5.028stab104.3. Enabled CONFIG_EFI_PARTITION=y (GUID Partition Table (GPT) support) and CONFIG_SOUND=m (the sound card driver subsystem) with the same set of drivers as in RHEL5. The corresponding RHEL5 kernel updates fix a divide-by-zero flaw in the ext4 filesystem code (CVE-2012-2100), which could be triggered via a corrupted ext4 filesystem. This is only a security issue if untrusted users are permitted to mount filesystems or/and when mounting filesystems from untrusted sources; other and worse attacks are likely possible in those cases, thereby making this one fix relatively unimportant. Red Hat has also fixed a flaw in the dl2k driver (CVE-2012-2313), which is not included in our kernel builds. References: https://openvz.org/Download/kernel/rhel5-testing/028stab104.3 https://openvz.org/Download/kernel/rhel5-testing/028stab104.2 https://openvz.org/Download/kernel/rhel5-testing/028stab104.1 https://rhn.redhat.com/errata/RHSA-2012-1445.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2100 https://openvz.org/Download/kernel/rhel5-testing/028stab103.1 https://rhn.redhat.com/errata/RHSA-2012-1174.html 2012/08/18 Package: openssl SECURITY FIX Severity: none to medium, remote, passive to active Updated to 1.0.0j. This release corrects a buffer over-read flaw in the handling of CBC mode ciphersuites in DTLS. No DTLS-using programs are included in Owl, so it'd take a third-party program to make this flaw actually triggerable on Owl. References: https://www.openssl.org/news/secadv_20120510.txt https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333 2012/08/18 Package: xinetd SECURITY FIX Severity: none to medium, remote, active Updated to 2.3.15, which corrects an access control bypass vulnerability in the normally disabled tcpmux service. References: http://www.openwall.com/lists/oss-security/2012/05/09/5 https://bugzilla.redhat.com/show_bug.cgi?id=790940 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0862 2012/08/18 Package: kernel SECURITY FIX Severity: low, local, active Updated to 2.6.18-308.11.1.el5.028stab102.1. The corresponding RHEL5 kernel update fixes a flaw in the epoll subsystem, which could be used for a local DoS attack. Other security flaws reported as fixed in the release notes referenced below do not affect Owl's builds of the kernel (they're in Xen and extended taskstats functionality, which we do not include). References: https://openvz.org/Download/kernel/rhel5-testing/028stab102.1 https://rhn.redhat.com/errata/RHSA-2012-1061.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3375 https://openvz.org/Download/kernel/rhel5-testing/028stab101.1 2012/08/14 Package: glibc Corrected the processing of '\x80' characters in extended DES-based crypt(3) hashes. A related issue affecting traditional DES-based crypt(3) hashes is known as CVE-2012-2143 in other projects using the same FreeSec code, but luckily in Owl we've been using this code only for the extended hashes (continuing to use upstream glibc's UFC-crypt for traditional ones), and these were only affected in terms of compatibility (with BSD/OS and certain other implementations), but not security. Hence, this is not a security fix. 2012/08/14 Package: slang Dropped S-Lang from Owl. We never made use of it in Owl itself. 2012/08/14 Package: binutils Updated to 2.23.51.0.1. 2012/07/23 Package: tcsh Updated to 6.18.01. 2012/05/12 Package: binutils Updated to 2.22.52.0.1. 2012/05/08 Package: syslinux Updated to 4.05. 2012/05/08 Package: lftp Updated to 4.3.6. Corrected an assertion failure with torrent peer id generation when the lftp PID is above 65535. Added a patch proposed by upstream to always obtain and report exact file timestamps. 2012/05/06 Package: openssl SECURITY FIX Severity: medium/high, remote/indirect, active/passive Updated to 1.0.0i, which corrects numerous vulnerabilities discovered since 1.0.0d (the version we had in Owl-current before). The attack vectors and worst case impact of these vulnerabilities vary. The ASN1 BIO vulnerability (CVE-2012-2110) discovered by Tavis Ormandy of Google Security Team and patched specifically in the 1.0.0i release in April potentially allows for arbitrary code execution, but is not triggerable via OpenSSL's SSL/TLS code, whereas worst case impact of other vulnerabilities corrected with this update is lower. References: https://www.openssl.org/news/secadv_20120419.txt http://lists.openwall.net/full-disclosure/2012/04/19/4 http://www.openwall.com/lists/oss-security/2012/04/22/2 http://www.openwall.com/lists/oss-security/2012/04/22/3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 https://www.openssl.org/news/secadv_20120312.txt https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 https://www.openssl.org/news/secadv_20120104.txt https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 https://www.openssl.org/news/secadv_20110906.txt https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207 2012/05/06 Package: kernel SECURITY FIX Severity: low to high, local, active Updated to 2.6.18-308.4.1.el5.028stab100.2, which includes a fix for excessive in-kernel CPU time consumption when creating large nested epoll structures (CVE-2011-1083) as reported by Nelson Elhage. Corrected an Owl-specific mm (memory) leak and a reference count overflow possibility (with non-obvious impact) that was inadvertently introduced in 2.6.18-274.18.1.el5.028stab098.1.owl1 and which could be triggered on i686 (not x86_64) on read attempts from /proc//*maps by other than the same program instance that opened these special files. Reverted the dmesg_restrict sysctl tri-state feature in favor of the approach taken by OpenVZ. References: https://openvz.org/Download/kernel/rhel5-testing/028stab100.2 https://openvz.org/Download/kernel/rhel5-testing/028stab099.4 https://openvz.org/Download/kernel/rhel5/028stab099.3 https://rhn.redhat.com/errata/RHSA-2012-0150.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1083 http://www.openwall.com/lists/oss-security/2011/03/02/1 http://www.openwall.com/lists/oss-security/2011/03/02/2 https://bugs.openvz.org/browse/OVZ-5328 2012/05/02 Package: strace Updated to 4.7. 2012/04/22 Package: hdparm Updated to 9.39, added packaging of the wiper.sh script (SSD trimming). 2012/03/03 Package: gcc Updated to 4.6.3. 2012/02/25 Package: kernel SECURITY FIX Severity: low/low to high, remote/local, active Updated to 2.6.18-274.18.1.el5.028stab098.1, which fixes an IGMP remote DoS over LAN (CVE-2012-0207), two ext4 filesystem local DoS flaws (CVE-2011-3638, CVE-2011-4086), and a flaw in handling of robust list pointers of user-space held futexes across execve(2) calls (CVE-2012-0028), which could be used for privilege escalation via a SUID/SGID program that is multi-threaded or/and has a memory-mapped device, file, or shared memory segment (Owl does not include such SUID/SGID programs). Introduced the previously missed RLIMIT_NPROC check into fs/compat.c: compat_do_execve() (used by 32-bit program binaries on 64-bit kernel). Introduced protection against unintended self-read by a SUID/SGID program of /proc//mem and /proc//*maps files, based on approaches taken in recent grsecurity patches. Made the kernel.dmesg_restrict sysctl tri-state and container-aware. Enabled CONFIG_NFSD=m, CONFIG_CIFS=m, CONFIG_NET_SCHED=y, CONFIG_NET_RADIO=y, CONFIG_PCCARD=m and lots of WiFi drivers as modules. References: https://openvz.org/Download/kernel/rhel5/028stab098.1 https://rhn.redhat.com/errata/RHSA-2012-0107.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0207 https://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654876 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3638 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4086 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0028 http://www.openwall.com/lists/oss-security/2012/01/04/18 http://www.openwall.com/lists/oss-security/2012/05/08/1 https://bugzilla.redhat.com/show_bug.cgi?id=771764 http://www.openwall.com/lists/oss-security/2012/02/08/2 2012/02/18 Package: glibc Enabled building of UTF-8 locales by default (adds 6.5 MB to glibc .rpm package size and 36 MB to installed system size on a filesystem with 4 KB blocks, unfortunately). 2012/02/12 - 2012/02/18 Package: gcc; Owl/build/.rpmmacros Enabled -Wl,-z,relro and -Wl,-z,now by default as a security hardening measure, rebuilt all packages. In most cases the performance impact is non-existent or negligible. To disable these options (for whatever reason), pass -Wl,-z,norelro and -Wl,-z,lazy to gcc, respectively. Note: ld(1) still uses -z norelro and -z lazy by default; only gcc's defaults are changed. (We already had -Wl,-z,relro in Owl/build/.rpmmacros since 2011/11/04; now that change is reverted in favor of gcc's change of default, and we've also added -Wl,-z,now.) References: http://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/ http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html 2012/01/25 Package: kernel SECURITY FIX Severity: low to high, local, active Updated to 2.6.18-274.17.1.el5.028stab097.1. Of the security issues mentioned in the Red Hat advisory referenced below, 5 are relevant to Owl's build of the kernel. Their relevance to and impact on specific Owl installs varies. Specifically, access to some /proc//* special files was not revoked on invocation of a SUID/SGID program, which allowed for an ASLR bypass (easier exploitation of certain kinds of other security flaws if present) as well as for an additional and unintended way to interact with the program (e.g. causing it to fail with a file lock held). Since Owl does not have any SUID binaries by default (only having some SGIDs), the impact of this flaw on default installs of Owl was greatly reduced. The remaining 4 flaws fixed with this update are either reliably known or currently understood to be limited to local denial of service (DoS), one of them requires that a specially-crafted corrupted ext3 or ext4 filesystem be mounted, and two are in the NFS client and thus require an NFS mount to be present and accessible to a local attacker. Please refer to the CVE IDs and other references below for more detail. References: https://openvz.org/Download/kernel/rhel5-testing/028stab097.1 https://rhn.redhat.com/errata/RHSA-2012-0007.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1020 http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/ http://lists.openwall.net/linux-kernel/2011/02/07/416 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3637 http://www.openwall.com/lists/oss-security/2012/02/06/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4132 http://www.openwall.com/lists/oss-security/2012/02/06/2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4324 http://www.openwall.com/lists/oss-security/2012/02/06/3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4325 http://www.openwall.com/lists/oss-security/2012/02/06/4 2011/12/27 Package: kernel SECURITY FIX Severity: medium, local, passive Updated to 2.6.18-274.12.1.el5.028stab096.1, enabled build of the VIA Rhine NIC driver (as a module). Although the corresponding RHEL update fixed multiple vulnerabilities, only the taskstats io infoleak (CVE-2011-2494) is relevant to Owl kernel builds. References: https://openvz.org/Download/kernel/rhel5-testing/028stab096.1 https://rhn.redhat.com/errata/RHSA-2011-1479.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2494 http://www.openwall.com/lists/oss-security/2011/06/24/6 http://www.openwall.com/lists/oss-security/2011/09/21/1 2011/12/27 Package: hardlink Fixed a bug in a code path triggered on error. 2011/11/27 Package: kernel SECURITY FIX Severity: low to medium, local/remote, active Updated to -274.7.1.el5.028stab095.1, which contains fixes for multiple local and remote DoS vulnerabilities, including via triggering an ext4 filesystem implementation bug with writes into the last block of a file in certain special circumstances, mremap(2) syscall, receiving of a specially crafted packet when GRO is enabled, receiving of a specially crafted packet on a bridge device, and via clock_gettime(2) syscall. This kernel revision also improves the randomness of IPv4 sequence numbers by moving from a 24-bit random component generated using MD4 plus a timer-based component to the full 32-bit numbers generated using MD5. Owl is not affected by the rest of vulnerabilities reported in the referenced Red Hat advisory as we don't build the corresponding components. Also included with this update is an OpenVZ fix of "loosing socket permissions in /dev with udev+tmpfs during CT restore (live migration)", which may be relevant to certain non-Owl OpenVZ containers being live-migrated on Owl host systems. Finally, we've changed the default for CONFIG_PCNET32 from =m to =y for ease of use under VMware, which emulates NIC of this type by default. References: https://openvz.org/Download/kernel/rhel5/028stab095.1 https://rhn.redhat.com/errata/RHSA-2011-1386.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2695 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2696 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2723 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2942 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3209 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3188 2011/11/23 Package: john John the Ripper has been enhanced in numerous ways, most notably gaining OpenMP parallelization for more hash types, resulting in its 1.7.9 release, which is also part of Owl (as usual). The Owl package of John the Ripper now actually has OpenMP parallelization and support for Intel AVX and AMD XOP enabled due to our move to GCC 4.6.x. It also includes transparent fallback to non-OpenMP and/or pre-AVX program binaries when the thread count would be 1 (such as because the system only has one logical CPU) or when running on a CPU not supporting AVX, respectively. Reference: http://www.openwall.com/lists/john-users/2011/11/23/2 2011/10/29 Packages: syslinux, owl-cdrom; Owl/build/* Packaged SYSLINUX - a collection of boot loaders - and moved from LILO to ISOLINUX for the ISO-9660 images generated by "make iso". 2011/10/29 Package: gcc Updated to 4.6.2. 2011/10/26 Package: tzdata Updated to 2011m. 2011/10/26 Package: owl-startup Added VLAN support (patch by Piotr Meyer). 2011/10/24 Package: pam SECURITY FIX Severity: none to high, local, active Applied upstream fixes for two vulnerabilities in pam_env. This module is not in use on default installs of Owl, and it never was, hence there was no impact for default installs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3148 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3149 2011/10/24 Packages: gcc, gmp, libmpc, mpfr Updated GCC to 4.6.1. Packaged GMP, MPC, and MPFR - arbitrary precision arithmetic libraries, which are required by the new GCC version. 2011/10/15 Package: tzdata Updated to 2011l. Reduced installed package size via use of hardlinks. 2011/10/15 Package: hardlink New package: a program to consolidate duplicate files via hardlinks. 2011/10/10 Package: rpm SECURITY FIX Severity: high, indirect, passive Applied a fix for crash and potential arbitrary code execution when processing a malformed/malicious package file. Although an RPM package can, by design, execute arbitrary code when installed or even during installation, this issue would potentially allow a specially-crafted RPM package to execute arbitrary code when the package metadata is merely queried, including for digital signature verification. Note that for Owl RPM packages we do not rely on RPM's support for signatures; instead, we sign *.mtree files. Please continue to verify detached GnuPG signatures that we provide for such files with gpg(1), and then verify RPM package files against the message digests found in *.mtree files with mtree(8) (both of these tools are part of Owl). This kind of verification was unaffected by this RPM issue. Please note that use of RPM on untrusted package files, even if just to verify a signature, remains risky despite of this recent fix: RPM package format and processing are complicated, so further issues of this kind are likely. References: http://www.openwall.com/lists/oss-security/2011/09/27/3 https://rhn.redhat.com/errata/RHSA-2011-1349.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378 2011/10/10 Package: SysVinit Applied a patch to set the shell name to /bin/bash, not /bin/sh, such that colored ls output is enabled on our LiveCD. 2011/10/09 Packages: kernel, vzctl SECURITY FIX Severity: low, local, active Updated the kernel to 2.6.18-274.3.1.el5.028stab094.3 (OpenVZ's latest stable from their RHEL 5 based branch, now rebased on RHEL 5.7's). Restricted permissions on /proc/slabinfo as a security hardening measure. Moved some OpenVZ features to modules like it is done in OpenVZ's official kernel builds. Changed CONFIG_UDF_FS=y to =m. Changed CONFIG_BLK_DEV_CRYPTOLOOP and most CONFIG_CRYPTO_* from =y to =m. On x86_64, changed CONFIG_PCNET32 and CONFIG_FORCEDETH (these are some of the 100 Mbps NIC drivers) from =y to =m. Of the 100 Mbps NIC drivers, we're leaving only those for Intel, Realtek, and NE2000-compatible PCI NICs built into the kernel on x86_64 now. Set CONFIG_SCSI_AIC94XX=y and CONFIG_BLK_CPQ_CISS_DA=y (the latter was already =y on i686, now it is =y on x86_64 as well). Although we reference two Red Hat security advisories below, none of the worse than local DoS issues listed in those advisories affect our previous kernel builds, either because we do not build the affected components, or in case of CVE-2011-2495 because we already had the permissions on /proc/PID/io restricted before Owl 3.0 release. References: https://openvz.org/Download/kernel/rhel5/028stab094.3 https://rhn.redhat.com/errata/RHSA-2011-1212.html https://openvz.org/Download/kernel/rhel5/028stab093.2 https://rhn.redhat.com/errata/RHSA-2011-1065.html http://www.openwall.com/lists/kernel-hardening/2011/09/27/3 2011/10/09 Packages: tzdata, glibc; Owl/build/installorder.conf Moved timezone data files from glibc to new package tzdata, updated it to version 2011k. 2011/09/07 Owl/build/{install*.sh,installorder.conf} Support for optional package tags has been added to installorder.conf and made use of in install*.sh scripts. Currently supported are: "D:" - CD only; "d:" - exclude from CD; "E:" - exclude from CD and OpenVZ container templates; "H:" - host only (exclude from OpenVZ container templates). 2011/09/07 Package: owl-etc Added /etc/owl-release (with "Owl-current post-3.0" in it). 2011/09/07 Package: owl-dev Create /dev/sd* devices for 16 disks, not just 8 like we did before. 2011/07/27 Package: kernel SECURITY FIX Severity: none to high, local, active Updated to 2.6.18-238.19.1.el5.028stab092.2. Enabled CONFIG_BONDING=m in both i686 and x86_64 kernels, enabled CONFIG_BLK_CPQ_CISS_DA=m in the x86_64 kernel (i686 already had it at "=y"). Applied a patch adding limited support for LSISAS8208ELP (PCI device id 0x0059), which provides access to individual hard drives. Moved the RLIMIT_NPROC check from set_user() to execve(2) and adjusted set_user() so that it can't fail. These changes were desirable to address missing setuid(2) return value check vulnerabilities in user-space programs. References: https://openvz.org/Download/kernel/rhel5/028stab092.2 https://openvz.org/Download/kernel/rhel5/028stab091.1 https://rhn.redhat.com/errata/RHSA-2011-0927.html https://rhn.redhat.com/errata/RHSA-2011-0833.html https://bugs.gentoo.org/show_bug.cgi?id=325805 https://bugs.gentoo.org/attachment.cgi?id=236721 https://forums.gentoo.org/viewtopic-t-731366.html http://www.openwall.com/lists/kernel-hardening/2011/07/12/1 2011/07/25 Package: rpm SECURITY FIX Severity: none to high, local, passive Added a patch to remove unsafe file permissions (chmod'ing files to 0) on package removal or upgrade to prevent continued access to such files via hard-links possibly created by a user. References: http://www.openwall.com/lists/oss-security/2011/07/25/1 http://www.openwall.com/lists/oss-security/2010/06/02/2 https://bugzilla.redhat.com/show_bug.cgi?id=125517 https://bugzilla.redhat.com/show_bug.cgi?id=598775 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4889 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059 2011/06/21 - 2011/07/17 Packages: glibc, pam, shadow-utils, tcb SECURITY FIX Severity: high, remote, active crypt_blowfish has been updated to version 1.1 (and then to 1.2), which fixes the 8-bit character handling bug and adds 8-bit test vectors and a quick self-test on every password hash computation. The impact of this bug was that most (but not all) passwords containing non-ASCII characters with the 8th bit set were hashed incorrectly, resulting in password hashes incompatible with those of OpenBSD's original implementation of bcrypt. What's worse, in some cases (but not in all) one, two, or three characters immediately preceding the 8-bit characters were ignored by the password hash computation. Thus, many passwords containing characters with the 8th bit set were significantly easier to crack than it was previously expected. This primarily applies to offline attacks against the password hashes (if the hashes are leaked or stolen), but in rare extreme cases it might also apply to remote password guessing attacks. In practice, passwords with non-ASCII characters are relatively uncommon and are typically more complicated than average, so they're unlikely to be an attractive target for attacks, despite of the weakness that this bug exposes them to. Yet the risk is there. With this glibc update, existing users' passwords containing characters with the 8th bit set will mostly stop working, because the hashes will be computed correctly and not match the incorrectly computed hashes recorded in the system. In order to allow users to log in after the upgrade even if they have a potentially affected password, the newly introduced backwards compatibility hash encoding prefix of "$2x$" may be used. Such password hashes should only be used during a transition period; when passwords are changed and hashed using the correct algorithm, another newly introduced "$2y$" prefix is used. After installation of this glibc update, login services such as sshd(8) should be restarted ("service sshd restart" and so on) in order for users' newly changed passwords (with the "$2y$" prefix on the hash encodings) to be recognized. References: http://www.openwall.com/lists/announce/2011/06/21/1 http://www.openwall.com/lists/oss-security/2011/06/24/1 http://www.openwall.com/lists/oss-security/2011/06/29/16 http://www.openwall.com/lists/john-dev/2011/07/06/15 http://www.openwall.com/lists/oss-security/2011/07/07/9 http://www.openwall.com/lists/oss-security/2011/07/08/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483 2011/06/22 Package: john In an effort sponsored by Rapid7, the bitslice DES S-box expressions have been replaced with those generated by Roman Rusakov specifically for John the Ripper. The corresponding assembly code for x86 with MMX, SSE2, and for x86-64 with SSE2 has been re-generated. Support for bcrypt hashes of passwords containing characters with the 8th bit set has been corrected. (The old buggy behavior may be enabled per-hash, using the "$2x$" prefix.) The external mode virtual machine's performance has been improved. This update of John the Ripper has also been released separately from Owl as version 1.7.8. References: http://www.openwall.com/lists/john-users/2011/06/22/1 https://www.rapid7.com 2011/06/09 Package: lilo Updated to 23.2. 2011/05/03 Package: kernel SECURITY FIX Severity: none to low, local, active Updated to 2.6.18-238.9.1.el5.028stab089.1. This fixes obscure security issues: kernel panic by unprivileged user via NFSv4 (CVE-2011-1090) and NULL pointer dereference in GRO code (CVE-2011-1478). It fixes non-security issues with page tables accounting, AMD Bulldozer boot process, OOM killer, and CPU stats bugs. It also introduces numerous features. References: https://openvz.org/Download/kernel/rhel5/028stab089.1 https://openvz.org/Download/kernel/rhel5/028stab085.5 https://rhn.redhat.com/errata/RHSA-2011-0429.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1090 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1478 2011/05/03 Package: rpm Fixed a regression in %patch introduced in the previous release. Thanks to Chris Bopp for reporting the bug. Reference: http://www.openwall.com/lists/owl-dev/2011/05/02/1 2011/05/03 Package: iproute2 Updated to 2.6.38. 2011/05/03 Package: iputils Updated to s20101006. 2011/04/27 Package: john Made numerous enhancements to John the Ripper, resulting in its 1.7.7 release, which is also part of Owl (as usual). Reference: http://www.openwall.com/lists/john-users/2011/04/28/1 2011/04/02 Package: kernel Updated to 2.6.18-238.5.1.el5.028stab085.3, which is now marked as "RHEL5 stable". This fixes a kernel Oops caused by nfsd. Also fixed an Owl-specific x86_64 gettimeofday(2) VDSO issue, which manifested itself in some 64-bit programs inside containers with some Linux distributions (not Owl) crashing with SIGSEGV. The issue was new with -238 kernels (thus, it was not present in Owl 3.0, nor in 3.0-stable). References: https://openvz.org/Download/kernel/rhel5/028stab085.3 https://bugs.openvz.org/browse/OVZ-4946 2011/03/21 Package: kernel SECURITY FIX Severity: none to medium, local, active Backported fixes for information leaks in Netfilter modules: arp_tables (CVE-2011-1170), ip_tables (CVE-2011-1171), ip6_tables (CVE-2011-1172), and ipt_CLUSTERIP. One must have CAP_NET_ADMIN to exploit these issues (e.g. in-container root may trigger the leak). The default Owl installation is vulnerable to the infoleak in ip_tables only as we don't ship other Netfilter modules nor have IPv6 enabled. References: http://www.openwall.com/lists/oss-security/2011/03/18/15 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1170 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1171 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1172 2011/03/17 Package: nmap Updated to 5.51. 2011/03/15 Package: strace Updated to 4.6. 2011/03/14 Package: iptables Changed the default for IPTABLES_STATUS_ARGS to "-nv". Most importantly, this disables the (risky and slow) reverse DNS lookups with "service iptables status". 2011/03/12 Package: kernel SECURITY FIX Severity: low, local/remote, active Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch (238.5.1.el5.028stab085.2) fixing a rare kernel panic with sysfs virtualization, a potential livelock in dirty pages balancing, and a bug in CFQ. The new RHEL5 kernel revision that this OpenVZ kernel is based on fixes a flaw in the garbage collector for AF_UNIX sockets (CVE-2010-4249, local DoS) and a flaw in handling of received packets exceeding the buffer limit (CVE-2010-4251, remote DoS). (It also includes a fix for CVE-2010-4655, but it was already included in our 2011/01/28 update.) Fixed an Owl-current specific bug in checksum calculation of fragmented ICMP echo request datagrams (reported by Piotr Meyer). Disabled the eepro100 driver in favor of e100. References: https://openvz.org/Download/kernel/rhel5-testing/028stab085.2 https://openvz.org/Download/kernel/rhel5-testing/028stab085.1 https://rhn.redhat.com/errata/RHSA-2011-0303.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4249 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4251 http://www.openwall.com/lists/owl-users/2011/03/06/1 http://www.openwall.com/lists/owl-users/2011/03/05/3 2011/03/02 Package: vsftpd SECURITY FIX Severity: none to low, remote, active Updated to 2.3.4. This release corrects a DoS vulnerability discovered by Maksymilian Arciemowicz where an attacker permitted to login to an FTP server would be able to cause the vsftpd child process(es) spawned for their session(s) to consume excessive amounts of CPU time. If the attack is carried out on a sufficient number of FTP sessions (possibly from multiple source IP addresses to exceed a possible per-source limit), the FTP service would become unavailable and other services of the system would be greatly impacted. References: http://securityreason.com/achievement_securityalert/95 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0762 2011/02/24 Packages: openssl, openssh Updated OpenSSL to 1.0.0d. 2011/02/18 Package: patchutils Updated to 0.3.2. 2011/02/10 Package: kernel Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch (238.1.1.el5.028stab084.3), which includes updated fix for the x86_64 VDSO bug (the fix in 028stab084.1 was incomplete) and fix for optimized kmem accounting bug. Enabled Ethernet bridge support, PPP_MPPE, and ULOG netfilter target. For more info, see the changelog for the kernel package. References: https://openvz.org/Download/kernel/rhel5-testing/028stab084.3 https://bugs.openvz.org/browse/OVZ-4893 2011/02/09 Package: patch SECURITY FIX Severity: high, indirect, passive Backported a fix for CVE-2010-4651. The patch utility allowed ".." in pathnames, and it also allowed absolute pathnames, either of which could allow an attacker to create or modify arbitrary files outside of the intended directory tree using a specially-crafted patch file. Our partial fix of 2011/02/02 did not address the absolute pathname case. References: https://bugzilla.redhat.com/show_bug.cgi?id=667529 http://www.openwall.com/lists/oss-security/2011/01/05/10 http://lists.gnu.org/archive/html/bug-patch/2010-12/msg00000.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651 2011/02/05 Packages: usb_modeswitch, usb_modeswitch-data New packages: usb_modeswitch is a mode switching tool for controlling "flip flop" (multiple device) USB gear. usb_modeswitch-data contains the data files for usb_modeswitch. 2011/02/05 Package: libusb-compat New package: libusb-compat is a compatibility layer allowing applications written for libusb-0.1 to work with libusb-1.0. It is needed for usb_modeswitch. 2011/02/05 Package: kernel Updated to upstream's "fixed fix for paging accounting". The incomplete fix introduced with our 2011/02/04 update could have caused trouble with 32-bit x86 kernels. Reference: https://bugs.openvz.org/browse/OVZ-4891 2011/02/05 Package: shadow-utils Added USERNAME_RELAXED and GROUPNAME_RELAXED options to /etc/login.defs, which, if changed to "yes", will allow capital letters to be used in new usernames and/or group names, respectively. 2011/02/04 Package: kernel Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch (238.1.1.el5.028stab084.1), which includes updated atl1 driver (Attansic L1 Gigabit Ethernet). Enabled VDSO on x86_64 (the actual bug was believed to be fixed in 028stab084.1). Applied upstream's initial "fix for non-4levels page tables acct" (the bug was introduced in 084.1, so we did not have it before). References: https://openvz.org/Download/kernel/rhel5-testing/028stab084.1 https://bugs.openvz.org/browse/OVZ-4891 2011/02/02 Package: patch Backported a partial fix for CVE-2010-4651. Since the fix turned out to be incomplete, this change is not actually fixing CVE-2010-4651 yet. 2011/01/31 - 2011/02/01 Packages: kernel, iputils, owl-etc, owl-startup Added support for non-raw ICMP sockets to the kernel and made use of said support in ping(1). References: http://lwn.net/Articles/420799/ http://openwall.info/wiki/people/segoon/ping 2011/01/30 Package: vconfig New package: vconfig is a user mode program to add and remove 802.1q VLAN virtual devices from Ethernet devices. 2011/01/29 Package: kernel Dealt with two known critical x86_64 specific bugs introduced in 2.6.18-238.1.1.el5.028stab083.1, applying a fix for one of them (bootup on systems with more than 8 logical CPUs) and working around the other (VDSO, which is now temporarily disabled on x86_64, to be re-enabled with the next kernel update). Reference: https://openvz.org/Download/kernel/rhel5-testing/028stab083.1 2011/01/29 Package: nmap Updated to 5.50. 2011/01/28 Package: usbutils New package: usbutils contains the lsusb utility for inspecting the devices connected to the USB bus. 2011/01/28 Package: libusb1 New package: libusb is a library providing access to USB devices. 2011/01/28 Package: kernel SECURITY FIX Severity: none to medium, local, active Updated to OpenVZ's 2.6.18-238.1.1.el5.028stab083.1. Fixed a potential information leak in net/core/ethtool.c: ethtool_get_regs() - this was the portion of CVE-2010-4655 relevant to RHEL5 kernels. According to our analysis, this issue did not affect installs with default OpenVZ container settings, but it could affect systems where a network device was passed into an OpenVZ container by an administrator. Made numerous kernel configuration changes (enabled extra drivers, moved some to modules), documented the changes (and the rationale behind them) in the change log for the kernel package. (The important and relevant ones of the security fixes described in the Red Hat security advisories referenced below were already included in our previous kernel revision (in Owl 3.0) with our own backports from a "testing" Red Hat kernel.) References: https://openvz.org/Download/kernel/rhel5-testing/028stab083.1 https://rhn.redhat.com/errata/RHSA-2011-0163.html https://openvz.org/Download/kernel/rhel5-testing/028stab082.1 https://rhn.redhat.com/errata/RHSA-2011-0004.html http://www.openwall.com/lists/oss-security/2011/01/28/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4655 2011/01/27 Package: bridge-utils New package: bridge-utils is a tool for configuring the Linux Ethernet bridge. 2011/01/27 Package: pv New package: PV ("Pipe Viewer") is a tool for monitoring the progress of data through a pipeline. 2011/01/27 Package: ethtool New package: ethtool is an utility for controlling network drivers and hardware, particularly for wired Ethernet devices. 2011/01/25 Package: e2fsprogs Updated to 1.41.14. 2011/01/24 Package: owl-startup Added "-s 131072" to the dmesg invocation in rc.sysinit. Without this change, /var/run/dmesg.boot was often incomplete. 2011/01/24 Package: lilo Updated to 23.1. 2011/01/24 Package: vim Moved a few syntax highlighting related files from the vim-syntax to the vim-enhanced subpackage to correct a packaging error where some files in vim-enhanced were dependent upon files from vim-syntax, which is not installed by default. $Owl: Owl/doc/CHANGES-3.1,v 1.132 2018/05/23 19:23:53 solar Exp $