This file lists the major changes made between the last released
version of Owl and Owl-current.  While some of the changes listed here
may also be made to a stable branch, the complete lists of stable
branch changes are included with those branches and as errata for the
corresponding Owl releases only.

This is very far from an exhaustive list of changes.  Small changes to
individual packages won't be mentioned here unless they fix a security
or a critical reliability problem.  They are, however, mentioned in
change logs for the packages themselves.

Security fixes have a "Severity" specified for the issue(s) being fixed.
The three comma-separated metrics given after "Severity:" are: risk
impact (low, medium, or high), attack vector (local, remote, or
indirect), and whether the attack may be carried out at will (active) or
not (passive).  Please note that the specified risk impact is just that,
it is not the overall severity, so other metrics are not factored into
it.  For example, a "high" impact "local, passive" issue is generally of
lower overall severity than a "high" impact "remote, active" one - this
is left up to our users to consider given their specific circumstances.

Per our current conventions, a Denial of Service (DoS) vulnerability is
generally considered to have a "low" risk impact (even if it is a
"remote, active" one, which is to be considered separately as it may
make the vulnerability fairly critical under specific circumstances).
Some examples of "medium" impact vulnerabilities would be persistent DoS
(where the DoS effect does not go away with a (sub)system restart), data
loss, bugs enabling non-critical information leaks, cryptographic
signature forgeries, and/or sending of or accepting spoofed/forged
network traffic (where such behavior was unexpected), as long as they
would not directly allow for a "high" impact attack.  Finally, a typical
"high" impact vulnerability would allow for privilege escalation such as
ability to execute code as another user ID than the attacker's (a
"local" attack) or without "legitimately" having such an ability (a
"remote" attack).

The metrics specified are generally those for a worst case scenario,
however in certain cases ranges such as "none to low" or/and "local to
remote" may be specified, referring to the defaults vs. a worst case yet
"legitimate" custom configuration.  In some complicated cases, multiple
issues or attacks may be dealt with at once.  When those differ in their
severity metrics, we use slashes to denote the possible combinations.
For example, "low/none to high, remote/local" means that we've dealt
with issue(s) or attack(s) that are "low, remote" and those that are
"none to high, local".  In those tricky cases, we generally try to
clarify the specific issue(s) and their severities in the description.


	Changes made between Owl 3.1 and Owl-current.

2021/01/25 -
2021/04/04	Package: passwdqc
Updated to 2.0.2 (and first to intermediate releases).

2021/03/10	Package: scanlogd
Updated to 2.2.8

2021/01/11	Package: tcb
Updated to 1.2.

2020/05/19	Package: kernel
SECURITY FIX	Severity: high, local, active
Merged the most relevant fixes from RHEL5's -436, including for the
following local vulnerabilities: use-after-free in sys_mq_notify()
allowing for a local root compromise and container escape by any user
(CVE-2017-11176), divide-by-zero in __tcp_select_window() allowing for a
local DoS (CVE-2017-14106), use-after-free in ALSA allowing for a local
root compromise by a host user in group "audio" if the vulnerable kernel
module is loaded (CVE-2017-15265).  Also fixed is an inconsistency in
modify_ldt(2)'s memory (de)allocation, which got introduced along with
KPTI in our update to -431 and is known as Red Hat's "bug 1584622" and
might have had local security impact.
References:
https://access.redhat.com/errata/RHSA-2018:3822
https://access.redhat.com/errata/RHSA-2018:2172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14106
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15265
https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html

2020/02/04	Package: e2fsprogs
SECURITY FIX	Severity: none to high, indirect, passive
Updated to 1.45.5.  Since the version of e2fsprogs that we had packaged
previously, multiple vulnerabilities with attack vectors via malicious
filesystem images have been found and fixed in e2fsprogs components.
Those vulnerabilities don't pose a risk to typical systems that do not
use untrusted filesystem images, but are high impact on those that do.
References:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247

2019/12/25	Package: passwdqc
Updated to 1.4.0.

2019/04/12	Package: john
Updated to 1.9.0.

2018/07/03	Package: gnupg
SECURITY FIX	Severity: medium, local/indirect, passive
Updated to 1.4.23, which, compared to 1.4.21, fixes a side-channel leak
(CVE-2017-7526) and a bypass of signature verification in third-party
programs that invoke GnuPG (CVE-2018-12020).
References:
http://www.openwall.com/lists/oss-security/2017/07/06/8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
http://www.openwall.com/lists/oss-security/2018/06/08/2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020

2018/06/28	Package: kernel
Fixed a regression introduced with the previous update (to -431) where
some 32-bit syscalls would fail with EFAULT on a 64-bit kernel because
of improper alignment of the newly introduced KAISER/KPTI trampoline
stack.  This fix is due to investigation and patch by Pavel Kankovsky
and bug report by Chris Bopp.

2018/05/24	Package: lftp
Updated to 4.8.3.

2018/05/23	Packages: procps, procps-ng
SECURITY FIX	Severity: high, local, passive
Replaced procps with procps-ng 3.3.14 plus all Qualys patches fixing a
number of issues that Qualys found during their security audit,
including some issues that might have allowed successful attacks on a
user (or root) invoking top(1) or other procps programs.
References:
http://www.openwall.com/lists/oss-security/2018/05/17/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1126

2018/05/21	Package: kernel
SECURITY FIX	Severity: low to high, local, active
Updated to 2.6.18-431.el5.028stab123.1.  This is a belated (with Owl
being barely on life support at this point) addition of kernel page
table isolation (KPTI) on x86-64 (only) as a software fix for Meltdown
(CVE-2017-5754) - an issue that allowed userspace processes to read
kernel memory (except on AMD CPUs).  Also included is a fix for the "POP
SS" vulnerability (CVE-2018-8897), which allowed for a local DoS attack.
However, this update does not mitigate the set of CPU vulnerabilities
known as Spectre, although the exposure to them might be lower than it
is in newer kernels because of the lack of eBPF.
References:
https://meltdownattack.com
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html
http://www.openwall.com/lists/oss-security/2018/05/08/4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897

2017/10/25	Package: glibc
SECURITY FIX	Severity: none to high, remote, active
Backported upstream fix for the recently discovered glob heap buffer
overflow (CVE-2017-15670) and while at it also for integer overflows in
pvalloc, valloc, posix_memalign/memalign/aligned_alloc (CVE-2013-4332).
References:
http://www.openwall.com/lists/oss-security/2017/10/21/5
https://sourceware.org/bugzilla/show_bug.cgi?id=22320
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670
http://www.openwall.com/lists/oss-security/2013/09/12/6
https://sourceware.org/bugzilla/show_bug.cgi?id=15855
https://sourceware.org/bugzilla/show_bug.cgi?id=15856
https://sourceware.org/bugzilla/show_bug.cgi?id=15857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4332

2017/10/19	Package: kernel
SECURITY FIX	Severity: none to high, local, active
Updated to 2.6.18-419.el5.028stab122.4.  This addresses the issue of
Position Independent Executables' (PIE) data potentially overlapping in
memory with their stack areas (CVE-2017-1000253).  (Un)fortunately, on
Owl we do not yet build our SUID/SGID binaries as PIE (which would be a
security enhancement if it were not for this issue), so this did not
affect Owl itself, but it could affect third-party SUID/SGID binaries
installed on Owl (including e.g. as part of third-party distros in
containers).  The many other security issues also addressed with this
upstream update, as compared to the much older upstream revision we
built upon previously, had already been fixed or worked around in prior
kernel updates for Owl.
References:
http://www.openwall.com/lists/oss-security/2017/09/26/16
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000253
https://openvz.org/Download/kernel/rhel5/028stab122.4
https://openvz.org/Download/kernel/rhel5/028stab122.3
https://openvz.org/Download/kernel/rhel5/028stab122.2
https://openvz.org/Download/kernel/rhel5/028stab122.1
https://openvz.org/Download/kernel/rhel5/028stab120.3
https://openvz.org/Download/kernel/rhel5/028stab120.2

2017/06/19	Package: kernel
SECURITY FIX	Severity: none to high, local, active
On SUID/SGID exec, limit the size of argv+envp to 512 KiB and the stack
size to 10 MiB, similarly to what grsecurity did in 2012.  This prevents
some of the stack/heap clash attacks described by Qualys, while some
others were already prevented for years by our glibc hardening changes.
References:
http://www.openwall.com/lists/oss-security/2017/06/19/1
https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash

2017/06/15	Package: db4
SECURITY FIX	Severity: medium to high, local, active
Don't open the DB_CONFIG file in the current directory.  This unexpected
property of db4 could have allowed for local DoS, information leaks, and
privilege escalation via programs using db4, including Postfix.
Reference:
http://www.openwall.com/lists/oss-security/2017/06/15/3

2017/06/08	Package: kernel
Backported upstream reimplementation of restricted hard links,
controllable via the fs.protected_hardlinks sysctl and enabled by
default, similar to what we had as part of CONFIG_HARDEN_LINK in -ow
patches and what grsecurity had as part of CONFIG_GRKERNSEC_LINK.  This
reinforces the group crontab vs. root privilege separation in our
package of ISC/Vixie Cron.
Reference:
http://www.openwall.com/lists/oss-security/2017/06/08/3

2017/04/02	Package: kernel
SECURITY FIX	Severity: high, local, active
Merged upstream fix to locking in net/ipv4/ping.c: ping_unhash(), where
the race condition could have been exploited by container root into e.g.
container escape.  Without a vulnerability in ping(1), the issue was not
triggerable by non-root users (neither host nor container).
References:
http://www.openwall.com/lists/oss-security/2017/03/24/6
http://lists.openwall.net/netdev/2017/03/25/16

2017/01/25	Package: kernel
SECURITY FIX	Severity: high, local, active
Merged in a fix of use-after-free in the recvmmsg() exit path
(CVE-2016-7117) from Red Hat's -417.  The vulnerability appears likely
to be exploitable locally.  Remote exploitation might be possible as
well, but would require specific (unlikely?) behavior of a service.
References:
https://blog.lizzie.io/notes-about-cve-2016-7117.html
https://access.redhat.com/security/cve/cve-2016-7117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7117

2016/12/10	Package: kernel
Merged in Red Hat's CVE-2016-5195 "Dirty COW" fix while also keeping the
mitigation introduced in Owl earlier.  In the kernel build for x86-64,
bumped up the maximum number of logical CPUs from 32 to 96, enabled
support for NUMA, huge pages, hugetlbfs, modules for I2C and many
sensors (similar to what's enabled in RHEL) and CPU microcode update.

2016/10/23	Package: kernel
SECURITY FIX	Severity: high, local, active
Added a mitigation for the "Dirty COW" Linux kernel privilege escalation
vulnerability (CVE-2016-5195).
References:
http://www.openwall.com/lists/oss-security/2016/10/21/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195

2016/10/17 -
2016/10/21	Package: bind
SECURITY FIX	Severity: low, remote, active
Merged multiple DoS vulnerability fixes from Red Hat's package, most
notably for two easily triggerable assertion failures (CVE-2016-2776,
CVE-2016-2848).
References:
http://www.openwall.com/lists/oss-security/2016/09/27/8
https://kb.isc.org/article/AA-01419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
http://www.openwall.com/lists/oss-security/2016/10/20/7
https://kb.isc.org/article/AA-01433/74/CVE-2016-2848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848

2016/08/23	Package: openssh
Backported upstream fix for a use-after-free in sshd's debugging output,
with no known security impact.

2016/08/23	Package: openssl
SECURITY FIX	Severity: none to high, remote, active
Updated to 1.0.0t, which fixes the "X509_ATTRIBUTE memory leak"
(CVE-2015-3195) and "Race condition handling PSK identify hint"
(CVE-2015-3196) vulnerabilities.  Neither of these affects the uses of
OpenSSL in Owl, but third-party applications using Owl's OpenSSL might
be affected.  The "high" impact potential is for the double-free
possibility mentioned in the OpenSSL advisory, even though the OpenSSL
team has rated the corresponding issue as "low" overall severity
(possibly considering its low risk probability, or/and other mitigating
factors).  This Owl package update also adds a CA certificate bundle.
Reference:
https://www.openssl.org/news/secadv/20151203.txt

2016/08/23	Package: kernel
SECURITY FIX	Severity: low, local, active
Updated to 2.6.18-408.el5.028stab120.1, which addresses several DoS
vulnerabilities, and additionally fixed a kernel panic triggerable via
the move_pages() syscall.
Reference:
https://openvz.org/Download/kernel/rhel5-testing/028stab120.1

2016/08/23	Package: gnupg
SECURITY FIX	Severity: medium, remote, passive
Updated to 1.4.21, which, compared to 1.4.18, fixes side-channel leaks
(CVE-2014-3591, CVE-2015-0837) and a bug in the random number generator
where an attacker who obtains 4640 bits from the RNG could trivially
predict the next 160 bits of output (CVE-2016-6313).
References:
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
http://www.openwall.com/lists/oss-security/2016/08/17/8
https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html
http://www.cs.tau.ac.il/~tromer/radioexp/

2016/07/20	Package: passwdqc
In version 1.3.1, fixed a bug in pam_passwdqc's rarely used "non-unix"
option.  The bug existed since passwdqc 1.1.3, released in 2009.
Reference:
http://www.openwall.com/lists/announce/2016/07/22/1

2015/08/01	Package: openssl
SECURITY FIX	Severity: none to medium, remote, passive to active
Updated to 1.0.0s, which fixes many Low and Moderate severity issues
(per OpenSSL's classification), as well as one High severity issue in
the client: silent downgrades of RSA to EXPORT_RSA (CVE-2015-0204), with
the corresponding attack known as FREAK.
References:
https://www.openssl.org/news/secadv_20150108.txt
https://www.openssl.org/news/secadv_20150319.txt
https://www.openssl.org/news/secadv_20150611.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
https://freakattack.com
https://en.wikipedia.org/wiki/FREAK

2015/07/31	Package: bind
SECURITY FIX	Severity: low, remote, active
Merged multiple DoS vulnerability fixes from Red Hat's package, most
notably for the easily triggerable error in handling of TKEY queries
(CVE-2015-5477).
References:
http://www.openwall.com/lists/oss-security/2015/07/29/3
https://kb.isc.org/article/AA-01272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477

2015/06/11	Package: kernel
SECURITY FIX	Severity: high, local, active
Fixed OpenVZ container filesystem (simfs) escape vulnerability via bind
mounts (CVE-2015-2925).
References:
https://bugs.openvz.org/browse/OVZ-6296
http://www.openwall.com/lists/oss-security/2015/04/03/7
https://access.redhat.com/security/cve/CVE-2015-2925
https://bugzilla.redhat.com/show_bug.cgi?id=1209367

2015/06/09	Package: kernel
SECURITY FIX	Severity: high, local, active
Updated to 2.6.18-406.el5.028stab119.1.  Most importantly, this fixes a
possible I/O vector array overrun, which could allow for local privilege
escalation (CVE-2015-1805).
References:
https://openvz.org/Download/kernel/rhel5-testing/028stab119.1
http://rhn.redhat.com/errata/RHSA-2015-1042.html
http://www.openwall.com/lists/oss-security/2015/06/06/2
https://openvz.org/Download/kernel/rhel5/028stab118.1
http://rhn.redhat.com/errata/RHSA-2015-0164.html

2015/03/06	Package: strace
Updated to 4.10.

2015/01/28	Package: glibc
SECURITY FIX	Severity: none to high, remote, active
Backported upstream's fix for a buffer overflow in gethostbyname*()
functions, which could be triggered via a crafted IP address argument.
Depending on the application that uses these functions, this
vulnerability could allow a local or a remote attacker to execute
arbitrary code.  Due to the analysis by Qualys (referenced below), it is
known that the issue could be exploited remotely via Exim (which we do
not include in Owl) or locally via clockdiff or procmail if these are
installed SUID/SGID or with filesystem capabilities (not the case on
Owl).  While there's no known security impact on Owl itself, Owl with
third-party software added (as many real-world installs have) may be
affected, with worst-case impact ranging up to a remote root compromise.
References:
http://www.openwall.com/lists/oss-security/2015/01/27/9
https://blog.qualys.com/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
https://sourceware.org/bugzilla/show_bug.cgi?id=15014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

2015/01/26	Package: libnss
SECURITY FIX	Severity: none to medium, indirect, passive
Updated to 3.17.3. which includes a fix for "RSA PKCS#1 signature
verification forgery is possible due to too-permissive SignatureAlgorithm
parameter parsing" (CVE-2014-1568) since version 3.17.1.  The only part
potentially affected by this in Owl is RPM since it is the only package
using NSS currently, although we do not use RPM's signature verification
for Owl's own packages (we use GnuPG-signed mtree files instead).
References:
https://bugzilla.mozilla.org/show_bug.cgi?id=1064636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568

2015/01/26	Package: libnspr
Updated to 4.10.7.

2015/01/04	Package: openssl
SECURITY FIX	Severity: none to medium, remote, active
Updated to 1.0.0o, which fixes "Information leak in pretty printing
functions" (CVE-2014-3508), "Race condition in
ssl_parse_serverhello_tlsext" (CVE-2014-3509), "Session Ticket Memory
Leak" (CVE-2014-3567), and adds support for "SSL 3.0 Fallback
protection" to let applications mitigate POODLE (CVE-2014-3566).
References:
https://www.openssl.org/news/secadv_20140806.txt
https://www.openssl.org/news/secadv_20141015.txt

2015/01/04	Package: bash
Updated to 3.1 patchlevel 23.

2015/01/04	Package: help2man
New package: help2man, which creates simple man pages from the output of
programs.  It currently generates the diff(1) man page during Owl build.

2014/12/28	Package: kernel
SECURITY FIX	Severity: none to high, local, active
Updated to 2.6.18-400.el5.028stab117.2, which most importantly fixes a
local privilege escalation vulnerability on x86-64 (CVE-2014-9322).
References:
https://openvz.org/Download/kernel/rhel5/028stab117.2
http://www.openwall.com/lists/oss-security/2014/12/15/6
https://rhn.redhat.com/errata/RHSA-2014-2008.html
https://rhn.redhat.com/errata/RHSA-2014-1959.html
https://openvz.org/Download/kernel/rhel5/028stab116.1
https://rhn.redhat.com/errata/RHBA-2014-1196.html
https://rhn.redhat.com/errata/RHSA-2014-1143.html
https://rhn.redhat.com/errata/RHSA-2014-0926.html

2014/10/25	Package: tzdata
Updated to 2014i.

2014/09/25 -
2014/09/27	Package: bash
SECURITY FIX	Severity: none to high, remote, active
Updated to 3.1 patchlevel 19 with additional patches by Florian Weimer
of Red Hat.  This fixes vulnerabilities with and introduces security
hardening of function imports, which could in many setups be exploited
remotely.
References:
http://www.openwall.com/lists/oss-security/2014/09/24/10
http://www.openwall.com/lists/oss-security/2014/09/24/11
http://www.openwall.com/lists/oss-security/2014/09/24/40
http://www.openwall.com/lists/oss-security/2014/09/25/5
http://www.openwall.com/lists/oss-security/2014/09/25/13
http://www.openwall.com/lists/oss-security/2014/09/25/32
http://www.openwall.com/lists/oss-security/2014/09/26/2
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
https://access.redhat.com/blogs/766093/posts/1976383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

2014/08/16	Package: strace
Updated to 4.9.

2014/07/12	Package: sqlite
Introduced a new package due to the new RPM requirements.

2014/07/12	Package: rpm
Updated to 4.11.2.
The payload compression method was changed from bzip2 to xz.

2014/07/12	Package: mpfr
Updated to 3.1.2 patch-level 8.

2014/07/12	Package: m4
Updated to 1.4.17.

2014/07/12	Package: libtool
Updated to 2.4.2.

2014/07/12	Package: libpopt
Updated to 1.16.
Introduced the libpopt library as an independent, separate package.

2014/07/12	Package: libnss
Introduced a new package due to the new RPM requirements.

2014/07/12	Package: libnspr
Introduced a new package due to the new RPM requirements.

2014/07/12	Package: libnet
Updated to 1.2-rc3.

2014/07/12	Package: libmpc
Updated to 1.0.2.

2014/07/12	Package: gmp
Updated to 6.0.0a.

2014/07/12	Package: gettext
Updated to 0.19.1.

2014/07/12	Package: gdbm
Updated to 1.11.

2014/07/12	Package: flex
Updated to 2.5.39.

2014/07/12	Package: file
Updated to 5.19.

2014/07/12	Package: coreutils
Updated to 8.22.

2014/07/12	Package: bison
Updated to 3.0.2.

2014/07/12	Package: automake
Updated to 1.14.

2014/07/12	Package: autoconf
Updated to 2.69.

$Owl: Owl/doc/CHANGES-current,v 1.50 2021/04/04 17:18:36 solar Exp $