This file lists the major changes made between Owl releases. While some of the changes listed here may also be made to a stable branch, the complete lists of stable branch changes are included with those branches and as errata for the corresponding Owl releases only. This is very far from an exhaustive list of changes. Small changes to individual packages won't be mentioned here unless they fix a security or a critical reliability problem. They are, however, mentioned in change logs for the packages themselves. Security fixes have a "Severity" specified for the issue(s) being fixed. The three comma-separated metrics given after "Severity:" are: risk impact (low, medium, or high), attack vector (local, remote, or indirect), and whether the attack may be carried out at will (active) or not (passive). Please note that the specified risk impact is just that, it is not the overall severity, so other metrics are not factored into it. For example, a "high" impact "local, passive" issue is generally of lower overall severity than a "high" impact "remote, active" one - this is left up to our users to consider given their specific circumstances. Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack). The metrics specified are generally those for a worst case scenario, however in certain cases ranges such as "none to low" or/and "local to remote" may be specified, referring to the defaults vs. a worst case yet "legitimate" custom configuration. In some complicated cases, multiple issues or attacks may be dealt with at once. When those differ in their severity metrics, we use slashes to denote the possible combinations. For example, "low/none to high, remote/local" means that we've dealt with issue(s) or attack(s) that are "low, remote" and those that are "none to high, local". In those tricky cases, we generally try to clarify the specific issue(s) and their severities in the description. Changes made between Owl 2.0 and Owl 3.0. 2010/12/13 - 2010/12/14 Owl/build/{installworld.sh,installorder.conf} Various corrections were made to "make installworld" to better support upgrades from ("installs over") Owl 2.0. 2010/12/13 Package: perl SECURITY FIX Severity: none to high, remote, active Added security fix backports found in Red Hat's 5.8.8-32.el5.2. These are for a double-free bug triggerable via malicious regexps with UTF-8 characters (CVE-2008-1927), Safe.pm restrictions bypass (CVE-2010-1168), and race conditions in the rmtree function in File::Path (CVE-2008-5302, CVE-2008-5303). Despite of these fixes, we recommend that regexps not be obtained or formed from untrusted input, Safe.pm not be used at all (it is regarded by many as a failed experiment and is a candidate for removal from the core Perl distribution), and rmtree not be used on directory trees potentially under an attacker's control. References: http://rt.perl.org/rt3/Public/Bug/Display.html?id=48156 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927 http://www.openwall.com/lists/oss-security/2010/05/20/5 http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg220612.html https://rhn.redhat.com/errata/RHSA-2010-0458.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1168 http://www.openwall.com/lists/oss-security/2008/11/28/2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5303 2010/12/09 Packages: owl-cdrom, owl-setup Added new boot label called "safe" to the CD boot menu. Currently, this adds the "acpi=ht" kernel parameter (for machines that have problems with ACPI support), which "settle" propagates into the installed system. 2010/12/08 Package: kernel SECURITY FIX Severity: medium to high, local, active Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch (2.6.18-194.26.1.el5.028stab079.1). Fixed "dangerous interaction between clear_child_tid, set_fs(), and kernel oopses" (CVE-2010-4258, problem discovered and fix proposed by Nelson Elhage of Ksplice). Merged many security-relevant patches from Red Hat's 2.6.18-236.el5 (mostly for infoleaks discovered by Dan Rosenberg, as well as his patch introducing the dmesg_restrict sysctl and CONFIG_SECURITY_DMESG_RESTRICT). Merged Red Hat's fix for "Bug 614957 - ext4: mount error path corrupts slab memory" (the bug could be triggered by a sysadmin making a typo in a "mount" command or in /etc/fstab). References: http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab079.1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4258 http://www.openwall.com/lists/oss-security/2010/12/02/3 http://www.openwall.com/lists/oss-security/2010/12/02/7 http://www.openwall.com/lists/oss-security/2010/12/08/4 https://rhn.redhat.com/errata/RHSA-2010-0839.html https://rhn.redhat.com/errata/RHSA-2010-0723.html https://bugzilla.redhat.com/show_bug.cgi?id=614957 2010/12/06 Package: vim Updated to 7.3 patchlevel 75. Moved most syntax highlighting files and translations of VIM messages to separate subpackages that are not to be installed by default. 2010/12/06 Package: man-pages Updated to 3.32. 2010/12/04 Package: postfix Updated to 2.4.15. 2010/12/04 Packages: bash, tcsh The default shell prompts have been revised to be directly reusable on ssh and scp command-lines. 2010/11/30 Package: cvs SECURITY FIX Severity: none to medium, local, passive to active Applied upstream's fix to an array index error, leading to a heap-based buffer overflow, found in the way CVS applied certain delta fragment changes from input files in the RCS (Revision Control System) file format. If an attacker in control of a CVS repository stored a specially-crafted RCS file in that repository, this could result in arbitrary code execution with the privileges of the CVS server process on the system hosting the CVS repository when a remote user eventually checks out a revision of the affected file. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3846 http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/rcs.c?r1=1.262.4.65&r2=1.262.4.66 https://bugzilla.redhat.com/show_bug.cgi?id=642146 2010/11/25 Package: xz Updated to 5.0.0. 2010/11/25 Package: lftp Updated to 4.1.1. 2010/11/15 Package: man-pages Updated to 3.31. 2010/11/15 Package: smartmontools Updated to 5.40. 2010/11/15 Package: SysVinit Updated to 2.88dsf. 2010/11/09 Package: man-pages Updated to 3.30. 2010/11/09 Package: iptables Updated to 1.4.10. 2010/11/05 Package: cdrkit Updated to 1.1.11. 2010/10/31 Package: gnupg Updated to 1.4.11. 2010/10/27 Package: man-pages Updated to 3.29. 2010/10/27 Package: hdparm Updated to 9.35. 2010/10/18 Package: pam SECURITY FIX Severity: none to medium, local, active Updated to 1.1.2+ snapshot 20101011. This code revision introduces the proper privilege switching into pam_env, pam_mail, and pam_xauth. None of these modules are in use on default installs of Owl, and they never were, hence there was no impact for default installs. References: http://www.openwall.com/lists/oss-security/2010/08/16/2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3316 http://www.openwall.com/lists/oss-security/2010/09/21/3 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3431 2010/10/06 - 2010/10/16 Package: vim Updated to 7.3 patchlevel 21, made numerous changes to the package. 2010/10/15 Package: ncurses Updated to 5.7-20101009. 2010/10/15 Package: flex Updated to 2.5.35. 2010/10/11 Package: diffstat Updated to 1.54. 2010/10/07 Package: man-pages Updated to 3.28. 2010/10/07 Package: ed Updated to 1.5. 2010/10/07 Package: hdparm Updated to 9.33. 2010/10/04 Package: binutils Updated to 2.20.51.0.11. 2010/09/24 Package: hdparm Updated to 9.32. 2010/09/24 Package: kernel SECURITY FIX Severity: high, local, active Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch (2.6.18-194.11.3.el5.028stab071.5). Added a fix for the compat_alloc_user_space() function missing sanity checks (CVE-2010-3081) from OpenVZ's 028stab070.5 (the same as Red Hat's from their -194.11.4 RHEL5 kernel). This was a "local root" vulnerability on 64-bit kernels built with 32-bit compatibility enabled. References: http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab071.5 http://wiki.openvz.org/Download/kernel/rhel5/028stab070.5 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081 https://bugzilla.redhat.com/show_bug.cgi?id=634457 http://rhn.redhat.com/errata/RHSA-2010-0704.html https://access.redhat.com/kb/docs/DOC-40265 2010/09/21 Package: grep Updated to 2.7. 2010/09/21 Package: bzip2 SECURITY FIX Severity: high, indirect, passive Updated to 1.0.6. This release fixes an integer overflow vulnerability discovered by Mikolaj Izdebski in the BZ2_decompress function in bzip2/libbz2. An attacker could use the vulnerability to crash bzip2 or an application using libbz2 or potentially to execute arbitrary code via a crafted "bzip2-compressed" file. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0405 http://xorl.wordpress.com/2010/09/21/cve-2010-0405-bzip2-integer-overflow/ 2010/09/02 - 2010/09/18 Package: pam_mktemp Revised pam_mktemp in multiple ways mostly relevant to (re)uses of this module on systems other than Owl. 2010/09/06 Package: rpm Backported xz/lzma support for Source and Patch files, as well as for package payloads. 2010/09/06 Package: xz New package: data compression library and a set of gzip-style tools for working with files compressed with the Lempel-Ziv-Markov chain algorithm (LZMA). It supports two formats: .xz and the older .lzma format. 2010/09/06 Package: lftp Updated to 4.0.10. 2010/09/01 - 2010/09/03 Packages: openssh, owl-cdrom, owl-dev, owl-setup, owl-startup, rpm, iputils Assorted minor improvements have been made and/or bugfixes applied to these Owl packages (as usual, more detail is available in the packages' change logs). 2010/08/30 - 2010/09/03 Package: kernel SECURITY FIX Severity: low to high, local, active Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch (2.6.18-194.11.3.el5.028stab071.3), applied some additional bugfixes, and of course preserved our usual changes. Enabled CONFIG_FUSION_* and CONFIG_PCNET32 (as modules) for easier Owl installation into VMware and VirtualBox VMs. References: http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab071.3 http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab071.2 http://wiki.openvz.org/Download/kernel/rhel5/028stab070.4 http://rhn.redhat.com/errata/RHSA-2010-0661.html http://rhn.redhat.com/errata/RHSA-2010-0610.html http://www.openwall.com/lists/oss-security/2010/08/16/1 http://www.openwall.com/lists/oss-security/2010/08/27/1 http://www.openwall.com/lists/oss-security/2010/08/30/3 2010/08/19 - 2010/09/01 Package: m4 Updated to 1.4.15. 2010/09/01 Package: file Updated to 5.04. 2010/09/01 Package: acct Updated to 6.5.4. 2010/08/30 Package: vsftpd Updated to 2.3.2. 2010/08/29 Package: mktemp Updated to 1.7. 2010/08/29 Package: hdparm Updated to 9.30. 2010/08/28 Package: ltrace Updated to 0.5.3-2.1. 2010/08/27 Package: grep Updated to 2.6.3. 2010/08/27 Package: sed Updated to 4.2.1. 2010/08/24 Package: iptables Updated to 1.4.9.1. 2010/08/24 Package: cdrkit Updated to 1.1.10. 2010/08/24 Package: gawk Updated to 3.1.8. 2010/08/24 Package: diffstat Updated to 1.53. 2010/08/19 Package: man Updated to 1.6f. 2010/08/19 Package: man-pages Updated to 3.25. 2010/08/18 Package: bison Updated to 2.4.3. 2010/08/18 Package: diffutils Updated to 3.0. 2010/08/17 Package: e2fsprogs Updated to 1.41.12. 2010/07/29 Package: lftp Updated to 4.0.9. 2010/07/28 Package: postfix Updated to 2.4.14. 2010/07/28 Package: openssh The SSH client will now use protocol 2 by default (finally). 2010/07/27 Packages: owl-startup, modutils /etc/rc.d/rc.sysinit has been enhanced and corrected in numerous ways: it will disable the console screensaver (such that datacenter staff may see the last console messages without connecting a keyboard or even if the system freezes), distinguish more kinds of fsck exit codes and act accordingly, and use "depmod -A" instead of "depmod -a" (to avoid rebuilding of kernel module dependencies unnecessarily). The default /etc/sysctl.conf will now explicitly set vm.mmap_min_addr to a reasonable non-zero value (currently 96 KB), not relying on the kernel to have a similar default anymore (although our kernel does). 2010/07/19 - 2010/07/28 Packages: owl-setup, owl-etc, owl-hier; Owl/build/install{iso,vz}tree.sh Added ext4 filesystem support - in fact, "settle" (the Owl installer program) will now offer ext4 by default, with ext3 and ext2 still available as non-default per-filesystem choices. Made the menus, prompts, and messages of both "settle" and "setup" hopefully more intuitive by clearly indicating which steps are optional, required, or recommended (and the like), having a bit fewer menu items (where some could be dropped or replaced without a loss of functionality for any of our users), revising menu item names and hint messages, and offering likely-correct inputs as defaults. Revised the console font/map presets for Cyrillic and Western European encodings. Almost all on-disk filesystems are now mounted with "noatime" by default (for better performance), and a /sys mountpoint and fstab entry (for sysfs) are now created by default (with "noauto"). 2010/07/24 Package: owl-cdrom Revised the LILO boot menu, leaving only two boot targets: "normal" and "rescue". This makes use of the new kernel's boot CD/DVD drive device autodetection. Revised the "welcome" script to reflect other changes, and enhanced it in numerous minor ways. 2010/07/17 - 2010/07/21 Packages: kernel, lilo, owl-cdrom, owl-setup; Owl/build/{install*.sh,Makefile}; Owl/doc/* SECURITY FIX Severity: none to high, local, active Updated the kernel to OpenVZ's latest from their rhel5 branch (2.6.18-194.8.1.el5.028stab070.2) with minor additional changes in Owl. As usual, this kernel version contains a number of security fixes (mostly backports made by Red Hat). The security impact of CVE-2010-0291 ("mremap/mmap mess"), if any, on x86 and x86-64 systems is difficult to determine. The remaining issues fixed were NULL pointer dereferences (the impact of which had been reduced to a DoS due to vm.mmap_min_addr) and/or were in kernel subsystems not built on Owl by default. At the same time with making this update, the kernel has been RPM-packaged, but in a way allowing for easy non-packaged builds as well (there are only two cumulative patch files). AHCI vs. Marvell PATA driver co-existence fixes have been backported from Linux 2.6.34.1. Boot CD/DVD drive device autodetection has been implemented (needed to locate the root filesystem when booting off a CD/DVD with LILO). ext4 filesystem support has been enabled. References: http://wiki.openvz.org/Download/kernel/rhel5/028stab070.2 http://rhn.redhat.com/errata/RHSA-2010-0504.html 2010/06/14 Package: john Updated to 1.7.6, including usability improvements relevant to the Owl package of John the Ripper. 2010/06/07 Package: tcb Updated to 1.0.6. 2010/05/04 Package: lftp SECURITY FIX Severity: high, remote, passive Updated to 4.0.7. This changes the default behavior of lftp(1) and the lftpget(1) script to no longer trust and use a possible server-provided filename instead of the user-specified download filename. Reference: http://www.ocert.org/advisories/ocert-2010-001.html 2010/04/14 Package: strace Updated to 4.5.20. 2010/03/27 Package: passwdqc In passwdqc 1.2.1, a password strength check has been adjusted to no longer subject certain passwords that start with a digit and/or end with a capital letter to an unintentionally stricter policy. 2010/03/22 kernel; Owl/build/buildkernel.sh; Package: owl-cdrom SECURITY FIX Severity: none to high, remote, active Updated the kernel to OpenVZ's latest from their "rhel5" branch (2.6.18-164.11.1.el5.028stab068.5 released on 2010/03/18) with Red Hat's patches up to 2.6.18-164.15.1.el5 added (apparently prepared by Red Hat on 2010/03/01, released and announced on 2010/03/16), and with some minor changes of our own. We call the resulting kernel version 2.6.18-164.15.1.el5.028stab068.5-owl1. Compared to earlier "rhel5" kernels, this update fixes a large number of vulnerabilities of varying impact in various kernel subsystems, which may or may not have been exposed in specific circumstances. 2010/03/11 - 2010/03/21 Packages: tar, cpio SECURITY FIX Severity: high, indirect, passive Updated tar to 1.23, which includes a fix for the heap-based buffer overflow in the rmt client functionality (CVE-2010-0624), and applied a fix for the same vulnerability to cpio. The attack would require either that an rmt server being used by tar or cpio on purpose is compromised first (by other means) or that these tools are fooled into accessing a malicious rmt server, such as via having them run on a malicious filename. The latter risk was mitigated by tar's default to use ssh for the --rsh-command and by ssh defaulting to asking the user before accepting an unrecognized host key. In cpio's case, it was mitigated by cpio requiring the --rsh-command option to use rmt. With our update to tar, we have also patched it to require its --rsh-command option to use rmt (just like cpio does), and we applied a number of post-release fixes for regressions introduced in the 1.23 release. References: http://www.agrs.tu-berlin.de/index.php?id=78327 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0624 http://lists.gnu.org/archive/html/bug-tar/2010-03/msg00036.html 2010/03/20 Package: hdparm Updated to 9.28. 2010/03/20 Package: pciutils Updated to 3.1.7. 2010/03/19 Package: libnids Updated to 1.24. 2010/03/13 - 2010/03/16 Package: passwdqc Enhanced passwdqc in numerous ways bringing it up to version 1.2.0. 2010/03/15 Package: quota Updated to 3.17. 2010/03/05 Package: tcsh Updated to 6.17.00. 2010/02/26 Package: john Several minor features were added and usability improvements made to John the Ripper, bringing it up to version 1.7.5. 2010/02/11 - 2010/02/25 Package: tcb Updated to 1.0.5. 2010/02/15 Package: vim Updated to 7.2 patchlevel 351. Introduced new subpackages -spell and -tutor (not installed by default). 2010/02/11 Package: glibc Replaced linuxthreads with NPTL. 2010/02/02 Package: gzip Updated to 1.4. 2010/01/28 Owl/build/{Makefile,installworld.conf,installworld.sh, installvztree.sh,makevztemplate.sh} Implemented "make vztemplate" - a make target to easily generate OpenVZ container templates of the Owl userland. The resulting templates may be used on Owl and/or on other Linux systems with OpenVZ. 2010/01/24 - 2010/01/28 Package: nmap Updated to 5.21 with our usual enhancements for privilege reduction. 2010/01/21 - 2010/01/26 Package: pciutils Updated to 3.1.6. 2010/01/20 Package: gzip SECURITY FIX Severity: none to high, indirect, passive Applied upstream's fix for an integer underflow leading to an array index error in the way gzip used to decompress data compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. An attacker could provide a specially-crafted LZW-compressed gzip archive, which once decompressed by an unsuspecting user on a 64-bit system would lead to a gzip crash or potentially to arbitrary code execution with the privileges of the user running gzip. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001 2009/12/17 - 2010/01/18 Package: john John the Ripper has been enhanced in numerous ways, bringing it up to version 1.7.4.2. Functionality and performance of the word mangling rules engine have been improved, the default rulesets and the bundled common passwords list have been revised, performance with very large password files or sets of files has been improved, idle priority has been enabled by default. References: http://www.openwall.com/lists/announce/2009/12/26/1 http://www.openwall.com/lists/announce/2010/01/19/1 2009/11/30 Package: libtool SECURITY FIX Severity: none to high, local, passive Applied upstream's backport of libltdl changes from the libtool 2.26b release: no longer attempt to dlopen() the old_library listed in .la files, and do not open module.la files from the current directory. No Owl packages use libltdl and therefore none are vulnerable, but third-party software could be abused by e.g. creating a malicious .la file and tricking a privileged user into executing a libltdl-based application in the same directory. References: http://lists.gnu.org/archive/html/libtool/2009-11/msg00059.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 2009/11/28 Package: rpm; Owl/build/buildworld.sh; Owl/doc/{ARCHITECTURES,BUILD} On 32-bit x86, packages are now built for the i686 architecture flavor by default. 2009/11/23 Packages: vzctl, vzquota; Owl/build/installorder.conf New packages: tools to create/control/examine/destroy OpenVZ containers. 2009/11/20 - 2009/11/23 kernel; Owl/build/buildkernel.sh; Packages: owl-cdrom, procps, util-linux The default kernel has been replaced with OpenVZ's latest from their "rhel5" branch, with some modifications of our own (mostly for better compatibility with the Owl userland, as well as for security). Formally, this was forked off Linux 2.6.18 (originally by Red Hat), but the changes are so extensive that this is actually an up-to-date kernel branch/version on its own, including Red Hat's backports of security fixes (and a lot more) and OpenVZ's container-based virtualization. This kernel branch is currently maintained by both Red Hat (for RHEL5) and OpenVZ. The specific version number we're currently using is 2.6.18-128.2.1.el5.028stab064.8-owl0.2. 2009/11/20 Package: gcc; Owl/build/{installorder.conf,installworld.sh} Dropped two older libstdc++-*-compat subpackages, which were providing binary compatibility for C++ programs built with gcc 2.x. 2009/11/20 Package: ipchains; Owl/build/installorder.conf Dropped package: ipchains has been obsoleted by iptables for years, but we kept it in Owl to ease transition of existing systems from Linux 2.2 to Linux 2.4 kernels (which still included optional kernel support for ipchains). Now that we're dropping support for Linux 2.4, it is also high time to drop ipchains, so we did. iptables, the replacement, has been a part of Owl for years. 2009/11/18 Package: diffstat Updated to 1.51. 2009/11/18 Package: vsftpd Updated to 2.2.2. 2009/11/17 kernel SECURITY FIX Severity: none to high, local, active Updated to Linux 2.4.37.7-ow1. The 2.4.37.7 kernel fixes a number of security-related bugs. 2009/10/25 kernel SECURITY FIX Severity: none to medium, local, active Updated to Linux 2.4.37.6-ow1. The 2.4.37.6 kernel fixes a number of information leak vulnerabilities. One of these was already fixed in 2.4.37.5-ow1, and the remaining ones may or may not affect specific systems depending on both kernel and userspace configuration. 2009/10/24 Package: xinetd Updated to 2.3.14. 2009/10/24 Package: vsftpd Updated to 2.2.1. 2009/10/21 Package: vim Updated to 7.2 patchlevel 267. 2009/10/21 Package: strace Updated to 4.5.19. 2009/10/13 Package: e2fsprogs Updated to 1.41.9. 2009/10/13 Package: cpio Updated to 2.10.90. 2009/09/28 - 2009/10/10 Packages: pam, pam_passwdqc, passwdqc; Owl/build/installorder.conf The pam_passwdqc package has been replaced with passwdqc, a new package, which includes pam_passwdqc(8) (the PAM module), libpasswdqc (a password/passphrase strength checking library), pwqcheck(1) (a standalone password/passphrase strength checking program), and pwqgen(1) (a standalone random passphrase generator program). 2009/09/23 Package: iptables Updated to 1.4.5. 2009/09/22 Package: vsftpd Updated to 2.2.0. 2009/09/09 Package: gnupg Updated to 1.4.10. 2009/09/01 - 2009/09/09 Packages: rpm, *; Owl/build/{buildworld.conf,buildworld.sh} Many RPM spec files have been adjusted and a new tri-state setting has been introduced into buildworld.conf to control whether the testsuites are to be run. The default is to run most tests, other possible settings are to run all of the tests (including extremely slow ones) or to disable all tests. 2009/09/07 Package: elinks Updated to 0.11.7. 2009/08/31 Package: postfix Updated to 2.4.13. 2009/08/30 Package: ed Updated to 1.4. 2009/08/30 Package: bison Updated to 2.4.1. 2009/08/28 Package: pam Updated to 1.1.0. 2009/08/25 Package: m4 Updated to 1.4.13. 2009/08/23 kernel SECURITY FIX Severity: none to high/medium, local, active Updated to Linux 2.4.37.5-ow1. The 2.4.37.5 kernel adds a fix for the "Linux NULL pointer dereference due to incorrect proto_ops initializations", which on Owl was not exploitable into privilege escalation on its own due to the vm.mmap_min_addr feature, as long as the latter was enabled and working (there have been no known issues with it in recent kernels). In our patched kernels, vm.mmap_min_addr is enabled by default. Additionally, our default kernels did not include support for any socket types via which the bug is known to be triggerable. More importantly, Linux 2.4.37.5-ow1 adds a fix for the sigaltstack local information leak affecting 64-bit kernel builds. References: http://lists.openwall.net/bugtraq/2009/08/13/11 http://www.openwall.com/lists/oss-security/2009/08/14/2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 http://www.openwall.com/lists/oss-security/2009/08/05/1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847 2009/08/22 Package: rpm Introduced the configure-presets script, which pre-defines a bunch of autoconf variables in order to achieve more deterministic and slightly quicker builds. Most importantly, this makes the configure scripts of many other packages assume the presence of certain security-relevant interfaces (fail-close behavior) rather than auto-detect those and possibly fallback to other interfaces (fail-open behavior). The configure-presets script is automatically "sourced" before the %build section commands are invoked (including when our rpmbuild(8) is used to build third-party packages), and it may also be explicitly "sourced" for manual builds of autoconf'ed software by Owl users. 2009/08/17 Package: tar Updated to 1.22.90, which replaces most of our error handling fixes originally implemented in the Owl package of tar in Nov-Dec 2008 with more elaborate changes by Sergey Poznyakoff. Dropped the --ignore-device-id option in favor of its official name of --no-check-device. References: http://lists.gnu.org/archive/html/bug-tar/2009-03/msg00000.html http://lists.gnu.org/archive/html/bug-tar/2009-08/msg00016.html 2009/08/16 Package: findutils Updated to 4.4.2. With this update, we're switching to the find(1) implementation based around fts(3) instead of GNU find's "own" directory traversal code. 2009/08/15 Package: mktemp Updated to 1.6 with minor post-1.6 upstream changes. 2009/08/14 Package: groff SECURITY FIX Severity: none to high, local/indirect, passive Corrected pdfroff(1) to create temporary files in a safe manner and to invoke gs(1) (Ghostscript) with the -dSAFER option to make it treat the input file as untrusted. pdfroff had been introduced into Owl with the groff update on 2009/08/06. Before getting corrected, the temporary files issue was mitigated by pdfroff's use of the TMPDIR environment variable, which our pam_mktemp module sets to point to the user's private directory. Additionally, for pdfroff to work and for the lack of the -dSAFER option to come into play, one would need to install Ghostscript first, which was not a part of Owl. Besides fixing pdfroff, we have identified and patched numerous relatively minor temporary file handling issues in other components of the new version of groff. Thanks to brian m. carlson for identifying and reporting the two pdfroff issues to Debian. References: http://www.openwall.com/lists/oss-security/2009/08/09/1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538338 2009/08/06 Package: logrotate Updated to 3.7.8. 2009/08/06 Package: groff Updated to 1.20.1. 2009/08/03 kernel Updated to Linux 2.4.37.4-ow1. The 2.4.37.4 kernel integrates a replacement for the "personality" hardening measure introduced in 2.4.37.3-ow1. 2009/07/29 Package: chkconfig Updated to 1.3.42. 2009/07/28 Package: bind SECURITY FIX Severity: low, remote, active Backported upstream fix for a remote DoS bug: by sending a specially crafted dynamic update packet to a BIND server, a remote unauthenticated attacker could cause the server to crash. According to the ISC and to our own testing, this vulnerability affects servers that are masters for one or more zones - it is not limited to those that are configured to allow dynamic updates. Our default BIND configuration includes several master zones, such as 127.in-addr.arpa, which are usable for the attack. BIND's own access controls (such as the "allow-query" directive) are ineffective against the attack. References: https://www.isc.org/node/474 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975 http://www.kb.cert.org/vuls/id/725188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696 2009/07/20 kernel SECURITY FIX Severity: none to high, local to remote, active Updated to Linux 2.4.37.3-ow1. The 2.4.37.3 kernel release adds the "-fno-delete-null-pointer-checks" option to gcc invocations, which is important to reduce the impact of a class of kernel bugs (which are yet to be found and fixed individually, but are known to exist in general), adds several security-relevant fixes to the RTL-8169 NIC driver, and makes other assorted changes. The Linux 2.4.37.3-ow1 kernel patch introduces an additional security hardening measure where the kernel will no longer allow the "personality" feature (which is needed to support some program binaries from other operating systems) to be abused to bypass the vm.mmap_min_addr restriction via SUID-root programs with a certain class of design errors in them. Similar changes were introduced into 2.6.x kernels recently. References: http://git.kernel.org/linus/a3ca86aea507904148870946d599e07a340b39bf http://www.openwall.com/lists/oss-security/2009/07/16/1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895 2009/07/18 - 2009/07/19 Package: vsftpd Updated to 2.2.0pre4, which officially reverts the default for "listen" back to NO (the way we had it in Owl all the time) and implements the "-o" option (the syntax and semantics are subtly different from what we had in our own implementation). Reference: http://lists.freedesktop.org/archives/distributions/2009-July/000322.html 2009/07/16 - 2009/07/19 Package: nmap Updated to 5.00 with our usual enhancements for privilege reduction and with some post-release fixes. Enabled build of Ncat (an even more powerful remake of the well-known netcat tool, which we previously had represented in Owl with OpenBSD's remake) and build of Nmap with NSE (Nmap Scripting Engine) support enabled. Ncat gets into its own binary subpackage called "ncat" and installable independently of "nmap". Reference: http://www.openwall.com/lists/owl-users/2009/07/19/1 2009/07/15 Package: dhcp SECURITY FIX Severity: none to low, remote, active Updated to 3.0.7. Fixed the DHCP server premature termination bug when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". It has not been fully researched whether the bug had any impact on versions 3.0.x of the DHCP server, and there is a specific reason why it might not have had any impact, yet we're fixing the underlying bug. Discovery and patch by Christoph Biedl. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892 http://www.openwall.com/lists/owl-users/2009/07/16/1 2009/07/11 Package: postfix Updated to 2.4.11. 2009/07/08 Package: chkconfig Updated to 1.3.38. 2009/07/07 kernel SECURITY FIX Severity: none to high, remote, active Updated to Linux 2.4.37.2-ow1. The 2.4.37.2 kernel release adds several bug fixes, including security-relevant ones. 2009/07/07 Package: openssh SECURITY FIX Severity: none to high, remote, active Backported upstream fix for a syslog call inside a signal handler. The security impact this issue might have had was not fully evaluated. On Debian systems, the reported impact was processes getting stuck on locks inside glibc. On Owl, no problems were ever reported, yet the call was unsafe, with the worst-case impact being arbitrary code execution (depending on processing inside glibc). References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4109 2009/07/05 Package: man-pages Updated to 3.21. 2009/06/17 Package: dmidecode; Owl/build/installorder.conf New package: dmidecode reports information about x86 & x86-64 hardware as described in the system BIOS according to the SMBIOS/DMI standard. 2009/06/10 Package: pciutils; Owl/build/installorder.conf New package: pciutils contains utilities for inspecting and setting up devices connected to the PCI bus. 2009/05/27 - 2009/05/29 Package: vsftpd Updated to 2.1.1, keeping the default at listen=NO (overriding upstream's change of default). Added the new option "-o", which can be used to specify configuration settings via the command line. 2009/05/27 Package: pcre Updated to 7.9. 2009/05/25 Package: patchutils Updated to 0.3.1. 2009/05/24 kernel; Package: owl-cdrom SECURITY FIX Severity: none to high, local, active Updated to Linux 2.4.37.1-ow1. In the default kernels for x86 and x86-64, enabled SCSI generic support (as needed for CD/DVD recording), UDF filesystem support (read-only), and more SATA and NIC drivers. Linux 2.4.37.1, compared to 2.4.35-ow2, adds numerous security-relevant fixes to various kernel subsystems. 2009/05/24 Package: diffstat Updated to 1.47. 2009/05/06 - 2009/05/22 Packages: cdrkit, mkisofs, owl-dev; Owl/build/installorder.conf New package: cdrkit is a suite of programs for recording CDs and DVDs, blanking CD-RW media, creating ISO-9660 filesystem images, extracting audio CD data, and more. This obsoletes our mkisofs source package, which was directly based on cdrtools (of which cdrkit is a fork). 2009/05/21 Package: nmap Updated to 4.76. 2009/05/15 Package: libnids Updated to 1.23. 2009/05/09 Package: hdparm Updated to 9.15. 2009/05/02 Package: e2fsprogs Updated to 1.41.5. 2009/04/08 Package: tcb In the new version 1.0.3 of the tcb package, child processes spawned by pam_tcb will now always use _exit(2) rather than exit(3) to avoid triggering side effects. When changing passwords, pam_tcb will now fsync(2) the temporary file prior to renaming it over the actual shadow file, as needed on filesystems with not entirely atomic rename(2) (XFS). Thanks to Pascal Terjan of Mandriva and to Ermanno Scaglione for reporting these two issues, respectively. 2009/03/06 Package: bind Dropped the root-delegation-only directive from the default named configuration because the list of TLDs that are not delegation-only was incomplete and wouldn't be maintained/updated on all installs, causing some DNS lookups of valid records to fail. Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217829 2009/02/06 Package: bind Dropped DNSSEC support, which is not useful on the Internet at large yet. Those who wish to experiment with DNSSEC at their own risk may set BUILD_OPENSSL to 1 and rebuild the package. 2009/01/08 Packages: openssl, bind SECURITY FIX Severity: medium, remote, passive Backported upstream fixes for multiple OpenSSL signature verification API misuses. References: http://www.openwall.com/lists/oss-security/2009/01/07/2 http://www.openssl.org/news/secadv_20090107.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 2008/11/02 Package: tar Updated to 1.20. 2008/08/14 Package: postfix Updated to 2.4.8, disabled the Solaris symlink hack that allowed local mail deliveries through "root-owned" symlinks. Although this is a security update for some other systems, on Owl the problem was avoided or mitigated in several ways: - we have a patch, introduced prior to Owl 2.0, that adds the local_minimum_uid setting with a default of 500 - preventing local mail deliveries to user "root" (unless it is correctly setup as an alias to some other e-mail address), as well as to other system special accounts; - there's no potential attack vector to get group "mail" privileges on Owl with no third-party software added - no single program is installed SGID "mail"; - the mail spool directory is only writable by root and group "mail" (not world-writable), yet it has the sticky bit set (mode 1771), which prevents the attack for already-existing mailboxes; - "useradd -m", which must be used to create a user account with a home directory, also pre-creates the mailbox; - our default kernel includes the CONFIG_HARDEN_LINK option, enabled by default, which thwarts the hardlink-to-symlink attack. 2008/08/10 Package: bind Updated to 9.3.5-P2, added an OpenBSD-derived patch to implement support for more than 1024 simultaneous recursive queries. 2006/09/13 - 2008/07/10 Package: john Many updates to John the Ripper have been made, bringing it to version 1.7.3. Most notably, two Blowfish-based crypt(3) hashes may now be computed in parallel for much better performance on x86-64 CPUs. Also, "DumbForce" and "KnownForce" external mode samples have been added to the default john.conf. 2008/07/08 Package: bind SECURITY FIX Severity: medium, remote, active Updated to 9.3.5-P1, which additionally randomizes UDP query ports to improve resilience to DNS cache poisoning attacks. References: http://www.isc.org/sw/bind/forgery-resilience.php http://www.kb.cert.org/vuls/id/800113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 2008/06/29 Package: vsftpd Updated to 2.0.6. 2008/05/27 Package: openssh Implemented support for RSA/DSA key blacklisting in sshd based on partial fingerprints, added a subpackage with blacklisted 48-bit partial fingerprints for 1024-bit and 2048-bit RSA and 1024-bit DSA keys as generated on vulnerable Debian, Ubuntu, and derived systems for PID range 1 to 32767. Due to the encoding scheme used, the blacklist file size is just 1.3 MB, which corresponds to less than 4.5 bytes per fingerprint. This effort was supported by CivicActions. References: http://www.openwall.com/lists/oss-security/2008/05/27/3 http://www.debian.org/security/2008/dsa-1571 http://www.ubuntu.com/usn/usn-612-1/ http://metasploit.com/users/hdm/tools/debian-openssl/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 2008/05/18 Package: nmap Updated to 4.62. 2008/05/10 Package: cvs Updated to 1.11.23. 2008/04/17 - 2008/04/22 Package: lilo Updated to 22.8. 2008/03/26 Package: gnupg Updated to 1.4.9. 2008/03/20 Package: findutils Updated to 4.2.33. 2008/03/20 Package: bzip2 Updated to 1.0.5. This release fixes a potential buffer over-read bug, which allowed user-assisted remote attackers to cause a crash in libbz2 via a crafted file. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372 2008/02/13 Package: pcre Updated to 7.6. 2008/02/12 Packages: pam_passwdqc, pam Applied numerous minor changes to pam_passwdqc and its default settings, including replacing its set of separator characters (used for randomly generated "passphrases") with some of those defined by RFC 3986 as being safe within "userinfo" part of URLs without encoding, reducing the default minimum length for passphrases from 12 to 11, and corrections to the documentation. 2008/01/15 Package: tar Added a new option: --ignore-device-id, to be used when creating incremental dumps off filesystems with volatile device numbers, such as OpenVZ simfs. 2008/01/04 Package: hdparm Updated to 7.7. 2008/01/01 Package: gnupg Updated to 1.4.8. 2008/01/01 Package: e2fsprogs Updated to 1.40.4. 2007/12/16 Package: postfix Updated to 2.4.6. 2007/12/06 Package: e2fsprogs Applied upstream patch to fix integer overflows in libext2fs. This addresses a potential vulnerability where an untrusted filesystem can be corrupted on purpose in such a way that a program using libext2fs will allocate a buffer that is far too small. This can lead to either a crash or potentially a heap-based buffer overflow. Thanks to Rafal Wojtczuk of McAfee Avert Labs for reporting this issue. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5497 2007/12/05 Package: gettext Updated to 0.14.6. 2007/11/19 Package: findutils Updated to 4.2.31. 2007/11/18 Package: ltrace Updated to 0.5. 2007/11/18 Package: elfutils-libelf Updated to 0.131. 2007/11/15 Package: e2fsprogs Updated to 1.40.2. 2007/10/24 - 2007/11/05 Package: sysklogd Implemented logging of the sending user ID (when non-zero) and of the sending process ID (when different from the reported one) for syslog messages arriving via Unix domain sockets. This should allow for detection of spoofed messages. 2007/10/17 Package: diffstat Updated to 1.45. 2007/10/16 Package: dhcp Updated to 3.0.6. 2007/10/13 Package: openssl Backported upstream fix for off-by-one bug in the SSL_get_shared_ciphers function. It is unclear whether the bug had any security impact. References: http://lists.openwall.net/bugtraq/2007/09/27/14 http://lists.openwall.net/bugtraq/2007/10/01/7 http://www.openssl.org/news/secadv_20071012.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135 2007/10/08 Package: cvs Updated to 1.11.22. 2007/10/07 Package: bzip2 Updated to 1.0.4. 2007/10/07 Package: nmap Updated to 4.20. 2007/10/07 Packages: mdadm, raidtools; Owl/build/installorder.conf Replaced raidtools with mdadm. 2007/09/24 Package: pcre Updated to 7.4. 2007/08/30 Package: vim SECURITY FIX Severity: none to high, indirect, passive Backported upstream fix to restrict dangerous functions in modelines. Note that vim's modelines have always been disabled on Owl by default (with a setting in /usr/share/vim/vimrc) and even this fix is no guarantee modelines will be safe to use or the restricted mode safe to rely upon in the future. Backported upstream fix for format string vulnerability in the helptags_one function, which allowed user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953 2007/08/18 kernel Updated to Linux 2.4.35-ow2. The single known security-relevant change added with Linux 2.4.35 is correction of the randomness pool update bug discovered by the PaX Team. The -ow2 revision adds a fix for the parent process death signal bug in the Linux kernel discovered by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security Research; this bug has no security impact on Owl with no added SUID programs. Also added are two security hardening features, both enabled by default: restricted access to VM86 mode (specific to 32-bit x86) and restricted zero page mappings (generic). References: http://www.openwall.com/lists/announce/2007/08/08/1 http://www.openwall.com/lists/announce/2007/08/14/1 http://www.isec.pl/vulnerabilities/isec-0024-death-signal.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3848 2007/08/18 Package: cpio Updated to 2.9. 2007/08/17 Package: tar Updated to 1.18. 2007/07/30 Package: bind SECURITY FIX Severity: medium, remote, passive Updated to 9.3.4-P1, which fixes a weakness in DNS query ids generator when answering resolver questions or sending NOTIFY messages to slave name servers. The weakness used to make it easier for remote attackers to guess the next query id and perform DNS cache poisoning. References: http://www.trusteer.com/bind9dns http://marc.info/?l=bind-announce&m=118531674631565 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926 2007/06/01 Package: owl-cdrom In the default kernel for x86, enabled more IDE chipset drivers, common RAID and SATA controller drivers, USB and HID support (keyboard, mouse, storage devices), and more. This enables our CDs to boot off SATA and USB CD-ROM drives, in addition to IDE and SCSI ones that were supported previously. 2007/05/31 Package: mutt Updated to 1.4.2.3. This release fixes msgid validation in APOP authentication and potential buffer overflow in passwd GECOS field parser. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683 2007/03/25 - 2007/05/22 Package: file SECURITY FIX Severity: high, indirect, passive Fixed potential heap buffer overflow in the file_printf function of the libmagic library. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 2007/03/29 Package: lftp Updated to 3.5.10. 2007/03/27 Package: elinks Updated to 0.11.2. 2007/03/26 Package: lftp Updated to 3.5.9. 2007/03/06 Package: gnupg SECURITY FIX Severity: medium, indirect, passive Updated to 1.4.7. This includes a fix for an unsigned data injection vulnerability: An attacker is able to add arbitrary content to a signed message, and the receiver of the message may not be able to distinguish the forged and the properly signed parts of the message. References: http://www.coresecurity.com/content/gnupg-and-gnupg-clients-unsigned-data-injection-vulnerability http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1263 2007/02/25 Package: openssl Updated to 0.9.7m. 2007/01/29 Package: bind SECURITY FIX Severity: low, remote, active Updated to 9.3.4, which fixes two security issues. The first issue is a "use after free" vulnerability which allowed remote DoS attack via unspecified vectors that cause BIND to "dereference (read) a freed fetch context". The second issue allowed remote DoS attack via a type ANY DNS query response that contains multiple RR sets in the answer section, which triggers an assertion error if DNSSEC validation is enabled. References: http://marc.info/?l=bind-announce&m=116968519321296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0493 http://marc.info/?l=bind-announce&m=116968519300764 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494 2007/01/18 Package: strace Updated to 4.5.15. 2007/01/13 Package: pcre Updated to 7.0. 2007/01/03 - 2007/01/09 Package: owl-setup Configuration of console font and locales has been implemented under a new sub-menu. Keyboard layout configuration has been moved to the same menu. The ncurses/CDK-based user interface now uses cfdisk rather than the traditional fdisk by default. 2006/12/30 - 2007/01/09 Owl/build/* New make targets have been added for creating ISO-9660 images of Owl bootable CDs. The added targets are buildkernel, installisotree, iso, and iso.gz. 2007/01/05 Package: mkisofs; Owl/build/installorder.conf New package: create ISO-9660 filesystem images. 2006/12/27 kernel Updated to Linux 2.4.34-ow1. 2006/12/06 Package: gnupg SECURITY FIX Severity: high, indirect, passive Updated to 1.4.6. This includes a fix for a remotely controllable function pointer vulnerability: using malformed OpenPGP packets an attacker was able to modify and dereference a function pointer in gpg. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235 2006/11/28 Package: gnupg SECURITY FIX Severity: high, indirect, passive Applied upstream fix for heap buffer overflow bug in gpg when running gpg interactively. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169 http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html 2006/11/28 Package: tar SECURITY FIX Severity: high, indirect, passive Disabled GNUTYPE_NAMES handling by default to avoid directory traversal in GNU tar (where a malicious archive containing GNUTYPE_NAMES record with a symbolic link could specify files to be extracted to outside of the intended directory tree). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097 http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050812.html 2006/11/19 Package: rpm Backported upstream fix for potential heap buffer overflow in showQueryPackage function. Although this particular bug is fixed, it remains unsafe to invoke "rpm" queries on untrusted package files. References: https://bugzilla.redhat.com/show_bug.cgi?id=212833 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5466 2006/11/09 Package: openssh Backported upstream fix for a bug in the sshd privilege separation monitor that weakened its verification of successful authentication. References: http://lists.mindrot.org/pipermail/openssh-unix-dev/2006-November/024882.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5794 2006/11/07 Package: texinfo SECURITY FIX Severity: high, indirect, passive Applied upstream patch that fixes potential heap buffer overflow in texindex utility. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4810 2006/10/29 Package: screen SECURITY FIX Severity: low, remote, passive Applied upstream patch that fixes two bugs in UTF-8 combining characters handling. The bugs could be used to crash/hang screen by writing a special string to a window. References: http://lists.gnu.org/archive/html/screen-users/2006-10/msg00028.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4573 2006/10/03 Package: openssh SECURITY FIX Severity: low/none to high, remote/local, active Backported upstream fixes for sshd connection consumption vulnerability (severity: low, remote, active), scp local arbitrary command execution vulnerability (severity: none to high, local, active), CRC compensation attack detector DoS (severity: low, remote, active), client NULL dereference on protocol error (severity: low, remote, passive). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4925 2006/09/29 Package: openssl SECURITY FIX Severity: none to low/high, remote, active/passive Updated to 0.9.7l, which includes fixes for four security issues. References: http://www.openssl.org/news/secadv_20060928.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 2006/09/27 Package: dhcp Updated to 3.0.4. 2006/09/19 Package: gzip SECURITY FIX Severity: high, indirect, passive Fixed multiple vulnerabilities (stack buffer overflow, heap buffer underflow, heap buffer overflow, infinite loop) discovered by Tavis Ormandy of Google Security Team. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338 2006/09/19 Package: bison Updated to 2.3. 2006/09/07 Package: gpm Updated to 1.20.1. 2006/09/06 Package: openssl SECURITY FIX Severity: none to medium, remote, passive to active Applied upstream patch to avoid RSA signature forgery. References: http://www.openssl.org/news/secadv_20060905.txt http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 2006/09/06 Package: bind SECURITY FIX Severity: none to low, remote, active Updated to 9.3.2-P1, which fixes a couple of bugs that allowed for DoS attacks on certain BIND configurations. References: http://www.kb.cert.org/vuls/id/915404 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095 http://www.kb.cert.org/vuls/id/697164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096 2006/08/17 kernel Updated to Linux 2.4.33-ow1. 2006/08/04 Package: postfix Updated to 2.2.11. 2006/08/04 Package: gnupg SECURITY FIX Severity: high, remote, passive Updated to 1.4.5. This includes fixes for two more possible memory allocation bugs, similar to the problem fixed in 1.4.3-owl1. References: http://lists.gnupg.org/pipermail/gnupg-announce/2006q3/000229.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3746 2006/06/28 Package: gnupg Updated to 1.4.4. 2006/06/27 Package: mutt SECURITY FIX Severity: high, remote, passive Applied an upstream fix for potential stack-based buffer overflow when processing an overly long namespace from IMAP server. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242 2006/06/25 Package: nmap Updated to 4.11. 2006/06/25 Package: coreutils Updated to 5.97. 2006/06/22 Package: gnupg SECURITY FIX Severity: high, remote, passive Updated to 1.4.3. Applied a fix for integer overflow vulnerability in packet processing that could allow a remote attacker to cause gpg to crash and possibly overwrite memory via a message packet with a large length. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3082 2006/06/12 Package: hdparm Updated to 6.6. 2006/06/12 Package: smartmontools; Owl/build/installorder.conf New package: control and monitor storage systems using S.M.A.R.T. 2006/06/06 Package: patchutils Updated to 0.2.31. 2006/06/06 Package: automake Updated to 1.9.6. 2006/06/06 Package: which Updated to 2.16. 2006/06/06 Package: e2fsprogs Updated to 1.39. 2006/06/06 Package: pam Updated to 0.99.4.0+. 2006/06/06 Package: make Updated to 3.81. 2006/06/06 Package: libtool Updated to 1.5.22. 2006/06/06 Package: bison Updated to 2.1. 2006/06/06 Package: bind Updated to 9.3.2. 2006/06/06 Package: vsftpd Updated to 2.0.4. 2006/06/06 Package: chkconfig Updated to 1.3.29. 2006/06/06 Package: bash Updated to 3.1 patchlevel 17. 2006/05/27 Package: coreutils Updated to 5.96. 2006/05/21 Package: coreutils Updated to 5.95. 2006/05/21 Packages: bc, gnupg, gdb, lftp, readline; Owl/build/installorder.conf Updated readline to 5.1 patchlevel 4. 2006/05/19 Package: acct Updated to 6.4-pre1. 2006/05/08 - 2006/05/15 Package: john Bitslice DES code for x86 with SSE2 and x86-64 with 64-bit mode extended SSE2 has been added for better performance at DES-based crypt(3) hashes on Pentium 4 and SSE2-capable AMD processors. Assorted high-level changes have been applied to improve performance on current x86-64 processors. 2006/05/07 Package: perl Updated to 5.8.8. 2006/05/01 Package: vixie-cron Updated to OpenBSD CVS snapshot dated 2006/04/26. Changed crontab(1) to use $TMPDIR for creating the temporary file. 2006/05/01 Package: lftp Updated to 3.4.6. 2006/04/26 Package: nmap Updated to 4.03. 2006/03/25 - 2006/04/20 Package: owl-setup Many fixes and enhancements which had been postponed for after Owl 2.0 release have now been implemented. This includes directly talking to PAM when setting the initial root password, quick searches in scroll lists with the ncurses/CDK-based interface, progress indicators with both user interfaces (currently, this is used for installation of kernel headers), and manual pages for both "settle" and "setup". 2006/04/19 Package: lftp Updated to 3.4.4. 2006/04/19 Package: setarch Updated to 2.0. 2006/04/04 - 2006/04/07 Packages: *; Owl/build/{.rpmmacros,.rpmrc,buildworld.conf,buildworld.sh} Ported Owl to the x86-64 architecture. 2006/04/06 Packages: db4, pam, perl, postfix; Owl/build/installworld.sh Updated db4 to 4.3.29. 2006/04/06 Package: postfix Updated to 2.2.10. 2006/04/06 Package: gettext Updated to 0.14.5. 2006/04/04 Package: bash Updated to 3.1 patchlevel 16. 2006/03/23 Package: netlist Updated to 2.1. 2006/03/23 Package: setarch Updated to 1.9. 2006/03/11 Package: postfix Updated to 2.2.9. 2006/03/11 Package: gnupg SECURITY FIX Severity: medium, indirect, passive Updated to 1.4.2.2. This includes fixes for the signature verification vulnerabilities discovered by Tavis Ormandy of Gentoo. References: http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0455 http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0049 2006/03/05 Package: nmap Updated to 4.02 Alpha1. 2006/02/27 - 2006/03/05 Package: john Applied many minor corrections, including for better handling of certain uncommon scenarios and improper uses of John. Added a "keyboard cracker" to the default john.conf that will try sequences of adjacent keys on a keyboard as passwords. 2006/02/28 Package: iptables Updated to 1.3.5. 2006/02/20 Package: sed Updated to 4.1.5. 2006/02/20 Package: coreutils Updated to 5.94. 2006/02/20 Package: bash Updated to 3.1 patchlevel 8. 2006/02/20 Package: tar SECURITY FIX Severity: high, indirect, passive Backported upstream fix for potential heap buffer overrun in handling extended headers. References: http://lists.gnu.org/archive/html/bug-tar/2005-06/msg00029.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0300 $Owl: Owl/doc/CHANGES-3.0,v 1.301.2.2 2012/04/29 23:47:24 solar Exp $