This file lists the major changes made between Owl releases. While some of the changes listed here may also be made to a stable branch, the complete lists of stable branch changes are included with those branches and as errata for the corresponding Owl releases only. This is very far from an exhaustive list of changes. Small changes to individual packages won't be mentioned here unless they fix a security or a critical reliability problem. They are, however, mentioned in change logs for the packages themselves. Changes made between Owl 1.1 and Owl 2.0. 2006/01/18 Package: strace Updated to 4.5.14. 2006/01/18 Package: pam Updated to 0.99.3.0. 2006/01/18 Package: libutempter Updated to 1.1.4. 2006/01/14 Package: nmap Updated to 3.95. 2006/01/07 - 2006/01/11 Package: bash Updated to 3.1 patchlevel 5. 2006/01/05 Package: postfix Updated to 2.2.8. 2006/01/05 Package: glibc SECURITY FIX Severity: none to low, N/A, N/A Corrected a bug in the way salts for extended DES-based and for MD5-based password hashes are generated with the crypt_gensalt*() family of functions; thanks to Marko Kreen for discovering and reporting this. The bug would result in a higher than expected number of matching salts with large numbers of password hashes of the affected types generated on an Owl system through a mechanism that uses the affected glibc functions (such as pam_tcb). If the password hashes would ever be compromised (e.g., by exploiting another vulnerability), it would be possible to test candidate passwords against them at a faster effective rate because of this bug. The Blowfish-based (bcrypt) hashes that Owl has always been using by default and the traditional DES-based crypt(3) hashes were not affected. 2005/12/30 Package: dialog Updated to 1.0-20051219. 2005/12/27 Package: pam Updated to 0.99.2.1. Moved pam_stack into a new pam-compat subpackage. 2005/12/27 Package: tcb Implemented OpenPAM support. Updated pam_tcb to use new interfaces provided by Linux-PAM >= 0.99.1.0. 2005/12/26 Package: diffstat Updated to 1.41. 2005/12/26 Package: hdparm Updated to 6.3. 2005/12/25 Package: man Updated to 1.6b. 2005/12/24 Package: gcc Updated to 3.4.5. 2005/12/24 Packages: db4, pam, perl, postfix; Owl/build/{installorder.conf,installworld.sh} Updated db4 to 4.2.52. 2005/12/24 Package: chkconfig Updated to 1.3.25. 2005/12/23 Packages: libnet, libnids; Owl/build/installorder.conf Updated libnet to 1.1.3-RC-01 and libnids to 1.20. 2005/12/18 Package: vim Updated to 6.4 patchlevel 4. 2005/10/09 - 2005/12/16 Package: john The handling of LM hashes has been enhanced to use case insensitive comparisons of the encodings when eliminating duplicate and already-cracked hashes at load time and when displaying cracked passwords. The way nouns ending in "z" and "h" are pluralized with the "p" wordlist rules command has been corrected. A workaround for OpenAFS has been added to unafs. Any charset file changes will now be detected when restoring sessions. The supplied charset files and password.lst have been updated. A new pre-defined "incremental" mode "Alnum" (for alphanumeric) has been added. A bug with the handling of break statements with nested loops in the external mode compiler has been fixed. 2005/12/13 Package: postfix Updated to 2.2.7. 2005/12/11 Package: man-pages; Owl/build/installorder.conf Updated to 2.16, including the addition of POSIX man pages in their own subpackage. 2005/12/08 Package: findutils Updated to 4.2.27. 2005/12/06 Package: perl Backported upstream fix for a potential integer overflow in perl format string functionality. Third-party software which passes untrusted input into format strings may allow attackers to overwrite arbitrary memory in the Perl interpreter and possibly execute arbitrary code via format string specifiers with large values. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962 2005/11/27 Package: vsftpd Updated to 2.0.3. 2005/11/26 kernel Updated to Linux 2.4.32-ow1. 2005/11/22 Package: gnupg Updated to 1.4.2. 2005/11/18 Package: libpcap Updated to 0.9.4. 2005/11/16 Package: cpio SECURITY FIX Severity: high, local, passive Backported upstream fix for a potential stack-based buffer overflow in cpio. When cpio is used by a privileged user to archive files created by a less privileged user, it is possible to overflow a buffer on the stack with a very large sparse file. This issue only affects 64-bit platforms. Reference: http://lists.gnu.org/archive/html/bug-cpio/2005-11/msg00004.html 2005/11/16 Package: grep Updated to 2.5.1a. 2005/11/14 Packages: traceroute, iputils; Owl/build/installorder.conf Replaced traceroute with Olaf Kirch's implementation. Packaged traceroute6 binary within traceroute package. 2005/11/14 Package: cvs Updated to 1.11.21. 2005/11/13 Package: postfix Introduced "postqueue" control(8) facility to restrict queue views and runs. 2005/11/12 Package: tar Updated to 1.15.1 with backported fixes from tar CVS and patches from ALT Linux and Debian. 2005/11/12 Package: quota Updated to 3.13. 2005/11/12 Package: patch Updated to 2.5.9. 2005/11/12 Package: sed Updated to 4.1.4. 2005/11/11 Package: indent New package: a program for formatting C source code. 2005/11/09 Package: glibc Updated to 2.3.6. 2005/11/08 Packages: tinycdb, pcre, postfix, nmap New packages: constant database library, Perl-compatible regular expression library. Enabled CDB database type and PCRE lookup tables support in Postfix. 2005/11/07 Package: coreutils Updated to 5.93. 2005/10/30 Package: procmail Updated to 3.22 with patches from ALT Linux and Debian. Fixed a procmail bug which could result in mailbox corruption when running into a disk quota or a full partition. 2005/10/29 Packages: openssh, pam, popa3d, shadow-utils, SimplePAMApps, vixie-cron, vsftpd Changed PAM config files to use new "include" directive. 2005/10/26 Package: modutils Integrated module-init-tools for Linux 2.6.x readiness, based on patches from ALT Linux. 2005/10/24 Package: SysVinit Updated to 2.86. 2005/10/23 Package: file Updated to 4.16. 2005/10/23 Package: strace SECURITY FIX Severity: high, local, passive Applied upstream fix for a potential buffer overflow in printpathn(). When "strace -p" is used by a privileged user to attach to a less privileged process, the latter may overflow a static fixed-size buffer with arbitrary data of arbitrary length. 2005/10/23 Package: zlib Updated to 1.2.3. 2005/10/23 Package: coreutils Updated to 5.92. 2005/10/23 Package: net-tools Updated to 1.60. 2005/10/22 Package: m4 Updated to 1.4.4. 2005/10/21 Package: lilo Updated to 22.7.1 with added patches both to LILO itself and to the mkrescue(8) script. 2005/10/20 Package: kbd Updated to 1.12. 2005/10/20 Packages: openntpd, owl-etc; Owl/build/installorder.conf New package: OpenNTPD is an NTP time synchronization server and client. 2005/10/20 Packages: setarch, sparc32; Owl/build/installorder.conf sparc32 has been replaced with setarch, which is not limited to the SPARC architecture. setarch is an utility to set machine sub-architecture type and Linux kernel personality flags for individual program invocations. 2005/10/20 Package: silo Updated to 1.4.9. 2005/10/20 Package: elfutils-libelf Updated to 0.115. 2005/10/17 Package: rpm Changed package upgrade algorithm to remove old files on "-U --force" even if package versions match. When comparing package versions on -U or -F, take build dates into account. 2005/10/11 Package: openssl SECURITY FIX Severity: low, remote, active Applied upstream fix for potential SSL 2.0 rollback during SSL handshake. Applications using either SSL_OP_MSIE_SSLV2_RSA_PADDING or SSL_OP_ALL option miss a verification step in the SSL 2.0 server supposed to prevent active protocol-version rollback attacks. With this verification step disabled, an attacker acting as a "man in the middle" can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only. References: http://www.openssl.org/news/secadv_20051011.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969 2005/09/30 Package: tcsh Updated to 6.14.00. 2005/09/29 Package: cvs Updated to 1.11.20 with many patches, primarily from ALT Linux. 2005/09/24 Packages: bind, owl-etc; Owl/build/installorder.conf New package: the ISC BIND server. 2005/09/21 Package: cdk New package: CDK is a widget set developed on top of ncurses. 2005/09/17 Package: findutils Updated to 4.2.25. 2005/09/14 Package: util-linux SECURITY FIX Severity: none to high, local, active Applied upstream fix to umount(8) to avoid unintentional grant of privileges by "umount -r". This only affected systems which made umount available to non-root users with control(8) (by default, only root can invoke umount) and specified any filesystems with restrictive flags (such as nosuid or nodev) as user-mountable. References: http://marc.info/?l=bugtraq&m=112656096125857 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2876 2005/09/05 Package: john All of the documentation has been updated to apply to the current version. The old John the Ripper 1.6 documentation has been removed. 2005/08/30 Package: procps Updated to 3.2.5. 2005/08/23 Packages: pam, tcb, SimplePAMApps; Owl/build/installorder.conf Updated PAM to 0.80. No longer build pam_pwdb, the tcb package will provide compatibility symlinks instead. 2005/08/18 Package: libutempter Updated to 1.1.3. 2005/08/18 Package: sysklogd Applied fixes from CVS snapshot 20050525, imported a few patches from ALT Linux. 2005/08/11 Package: postfix Updated to 2.2.5. 2005/08/10 Package: strace Updated to 4.5.13. 2005/08/08 Package: mtree Updated to version from current OpenBSD (post-3.7). Fixed a number of bugs in mtree spec file creation and parsing, including with processing of filenames starting with the hash character ('#') or containing glob(3) wildcard characters, of comment lines ending with a backslash ('\\'), and of files not ending with a linefeed. 2005/08/03 - 2005/08/08 Package: owl-setup; Owl/doc/INSTALL The shell scripts based Owl setup utility has finally been replaced by the new installer written in C++. There are two programs: "setup", which may be used to (re-)configure the current system (whether CD-booted or installed on a hard drive), and "settle", the Owl installer to be run off an Owl CD to install Owl on a hard drive. 2005/07/28 Package: openssh Added delayed compression support for SSH protocol 2 (a back-port of the changes committed into the OpenBSD CVS repository recently), enabled in sshd by default. With the new default setting, sshd will only allow for compression to be enabled after authentication. Unfortunately, this requires SSH client support as well, meaning that old SSH protocol 2 clients will be unable to use compression with our new sshd at its default setting. SSH protocol 1 has always insisted on authentication prior to compression and thus is unaffected by this change. The rationale for the change is to reduce the exposure of potential vulnerabilities in the code associated with compression (in OpenSSH itself and in zlib). Thanks to Markus Friedl for working on this and for bringing it to our attention. 2005/07/07 Package: lilo Updated to 22.7. 2005/06/30 Package: postfix Updated to 2.2.4. 2005/06/28 Package: xinetd Updated to 2.3.13. 2005/06/25 kernel Updated to Linux 2.4.31-ow1. 2005/06/24 - 2005/06/25 Packages: elinks, lftp, mtree, mutt, nmap, openssh, openssl Updated openssl to 0.9.7g. 2005/06/21 Package: vixie-cron Implemented PAM accounting and session management support. 2005/06/11 - 2005/06/21 Package: findutils Updated to 4.2.23. 2005/06/14 Packages: elfutils-libelf, ltrace New package: elfutils-libelf provides a library for reading and writing ELF files on a high level. Updated ltrace to 0.3.36 (making use of libelf). This makes ltrace work for program binaries built with recent versions of binutils. 2005/06/11 Package: strace Updated to 4.5.12. 2005/05/28 - 2005/05/29 Packages: binutils, gdb SECURITY FIX Severity: high, local, passive Updated binutils to 2.15.94.0.2.2 and gdb to 6.3. Added sanity checks to BFD library and readelf utility to avoid integer overflows (where a specially crafted object file may lead to a heap-based buffer overflow), fixes for potential stack-based buffer overflows in readelf utility, and a fix for the .gdbinit issue in gdb. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1705 2005/05/26 Package: libtool Updated to 1.5.18. 2005/05/26 Package: lftp Updated to 2.6.12. 2005/05/20 Packages: gzip, bzip2; Owl/build/installorder.conf SECURITY FIX Severity: high, local, passive Updated gzip to 1.3.5. Added fixes for directory traversal in gunzip (where a malicious gzipped file could specify file name to be extracted to outside of the intended directory tree when gunzip was used with the -N option), for race condition in the file permission handling code of gzip and gunzip, and fix of zgrep and bzgrep utilities to properly sanitize arguments. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758 2005/05/17 Package: diffutils Updated to 2.8.7. 2005/05/06 - 2005/05/16 Package: bzip2 Updated to 1.0.3. 2005/05/15 Package: glibc Updated to 2.3.5 with post-release changes from 2.3-branch, patches from ALT Linux, Red Hat Fedora, and SuSE, and with our modifications. 2005/04/16 - 2005/05/15 kernel SECURITY FIX Severity: high, local, active Updated to Linux 2.4.30-ow1 and later to 2.4.30-ow3. Linux 2.4.30 (and thus 2.4.30-ow1) includes a hardening change which makes the ELF core dump vulnerability discovered by Paul Starzetz unexploitable. Linux 2.4.30-ow3 includes a real fix for said vulnerability. References: http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1263 2005/05/05 - 2005/05/11 Package: cpio SECURITY FIX Severity: high, local, passive Updated to 2.6. Added fixes for directory traversal (where a malicious archive could specify files to be extracted to outside of the intended directory tree) and for certain race condition issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1229 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1111 2005/05/07 Packages: coreutils, fileutils, sh-utils, textutils, shadow-utils; Owl/build/installorder.conf Replaced fileutils, sh-utils, and textutils with coreutils (a recent CVS snapshot, post-5.3.0, with patches as maintained in ALT Linux Sisyphus). 2005/04/30 Package: bison Updated to 2.0. 2005/04/25 Packages: automake, patchutils Updated automake to 1.9.5. 2005/04/25 Package: texinfo Updated to 4.8. 2005/02/28 - 2005/04/20 Package: john Implemented a number of bitslice DES set_key*() optimizations resulting in speedups for LM hashes, as well as for traditional DES-based crypt(3) hashes when only a handful of hashes are loaded. 2005/04/10 Package: dhcp dhcpd(8) and dhcrelay(8) will now drop privileges by default (rather than only when the appropriate command line options are given). Previously, they would fail to work when no privilege reduction was requested (a bug). 2005/03/28 Package: telnet SECURITY FIX Severity: high, remote, passive Corrected the slc_add_reply() and env_opt_add() buffer overflows which might have allowed a malicious Telnet server to execute arbitrary machine code within the context of the telnet client process used to connect to the server. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 2005/03/25 Package: e2fsprogs Updated to 1.37. 2005/03/14 Package: vixie-cron Updated to 4.1 as found in OpenBSD CVS snapshot dated 2004/09/16, with further modifications by Owl and ALT Linux teams. This package now also provides at(1) and related commands. 2005/03/05 Package: iproute2 Added a patch to support HTB qdisc, see tc-htb(8) man page. Reference: http://luxik.cdi.cz/~devik/qos/htb/ 2005/02/22 - 2005/03/03 Package: glibc The OpenBSD-derived strlcpy(3) and strlcat(3) functions are now included in libc_nonshared.a such that they're available with dynamic linking but are nevertheless linked in statically in order to make sure that no programs become dependent on the presence of these extensions in the shared library. The strlcpy(3) and strlcat(3) man pages have been added. 2005/02/19 - 2005/02/21 Package: psmisc Updated to 21.5. 2005/02/06 Package: perl SECURITY FIX Severity: low, local, passive Corrected File::Path::rmtree to never make directories and files world-read/writable and updated its documentation to reflect the remaining security and reliability problems. Thanks to Jeroen van Wolffelaar for discovering this problem and reporting it to Debian. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452 2005/02/06 Package: cpio SECURITY FIX Severity: low, local, passive Obey the current umask when creating output files; previously, the files would be created with mode 666. Thanks to Mike O'Connor for bringing this up. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1572 2005/01/20 kernel SECURITY FIX Severity: high, local, active Updated to Linux 2.4.29-ow1. Linux 2.4.29, and thus 2.4.29-ow1, adds a number of security fixes, including to the x86/SMP page fault handler and the uselib(2) race conditions, both discovered by Paul Starzetz. The potential of these bugs is a local root compromise. The uselib(2) bug does not affect default builds of Linux kernels with the Openwall patch applied since the vulnerable code is only compiled in if one explicitly enables CONFIG_BINFMT_ELF_AOUT, an option introduced by the patch. References: http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0001 http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1235 2005/01/12 - 2005/01/20 Packages: gcc, glibc, SysVinit, crontabs, db4, dhcp, fileutils, gpm, ipchains, lilo, ltrace, mtree, net-tools, procps; Owl/build/.rpmmacros; Owl/build/{installorder.conf,installworld.sh} Updated to GCC 3.4.3 and a post-2.3.3 glibc snapshot. Fixed whatever packages this broke. 2005/01/15 Package: psmisc In pstree(1), implemented support for displaying multiple accessible subtrees when running with the "restricted /proc" kernel patch. 2004/12/04 Package: gnupg Updated to 1.2.6. 2004/11/28 Package: hdparm Updated to 5.8. 2004/11/26 Package: patchutils New package: a collection of programs that operate on patch files. 2004/11/23 - 2004/11/28 kernel; Package: net-tools SECURITY FIX Severity: low to high, local/remote, active/passive Updated to Linux 2.4.28-ow1. Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related bugs, including the ELF loader vulnerabilities discovered by Paul Starzetz (confirmed: ability for users to read +s-r binaries; potential: local root), a race condition with reads from Unix domain sockets (potential local root), smbfs support vulnerabilities discovered by Stefan Esser (confirmed: remote DoS by a malicious smbfs server; potential: remote root by a malicious server). References: http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt http://marc.info/?l=bugtraq&m=110091183206580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0949 2004/11/11 Package: shadow-utils "useradd" and related tools will now optionally allow user and group names longer than 8 characters, even though these may not be fully supported by the rest of Owl and by third-party software. This is controlled with the added USERNAME_MAX and GROUPNAME_MAX settings in /etc/login.defs, both of which are documented in login.defs(5). 2004/11/05 Package: modutils Updated to 2.4.27. 2004/11/03 Owl/doc/REDHAT New file: a list of known issues with using packages from or intended for Red Hat Linux on Owl. 2004/09/02 - 2004/11/03 Packages: autoconf, automake, gcc, gettext, glibc, libtool, rpm; other affected packages; Owl/build/*; Owl/doc/{BUILD,INSTALL,CONCEPTS} Merged in updates to autoconf 2.59, automake 1.8.3, gcc 3.2.2, gettext 0.14.1, glibc 2.3.2 (with Red Hat's patches as of RHL9 but without NPTL, and indeed updating all of our relevant patches), libtool 1.5.2, rpm 4.2 (with support for db1-format packages database re-introduced to allow for upgrades from older versions of Owl). Applied minor fixes to around 50 other packages this broke. Migrated to FHS 2.2 (packages' documentation and man pages now go under /usr/share). 2004/09/10 - 2004/11/02 Packages: openssl, openssh Updated OpenSSL to 0.9.7d. 2004/09/10 - 2004/09/28 Package: shadow-utils Updated to 4.0.4.1, modified usermod(8) to update the last password change field when invoked with the "-p" option. 2004/09/26 Package: make Updated to 3.80. 2004/09/10 Package: db4 New package: the Berkeley DB version 4. 2004/09/10 Package: strace Updated to 4.5.1. 2004/09/10 Package: quota Updated to 3.11. 2004/08/16 Package: libnids Updated to 1.19. 2004/08/04 - 2004/08/15 kernel SECURITY FIX Severity: none to high, local, active Updated to Linux 2.4.26-ow3 and further to 2.4.27-ow1. This corrects the access control check which previously wrongly allowed any local user to change the group ownership of arbitrary NFS-exported/imported files and adds a workaround for the file offset pointer races discovered by Paul Starzetz. The former is only exploitable when files are NFS-exported from a server running a vulnerable version of Linux 2.4.x, and the currently publicly known exploit for the latter relies on code enabled with CONFIG_MTRR kernel build option which has not been enabled in the default kernels on Owl CDs. However, as the potential impact of both issues is a local root compromise, an upgrade of older Linux 2.4.x installs to 2.4.26-ow3+ is highly recommended. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0415 http://www.isec.pl/vulnerabilities/isec-0016-procleaks.txt 2004/07/27 Package: iptables Updated to 1.2.11. 2004/07/16 - 2004/07/21 Packages: sed, acct, gdbm, man, sh-utils, slang, vim Updated sed to 4.1.1 and other packages' build scripts to make use of the new sed's ability of in-place editing ("sed -i"). 2004/07/10 Package: gdb Updated to 6.1.1. 2004/06/22 Package: dhcp Added a bounds checking patch covering sprintf() calls with "%s" format specifier and non-constant strings and forcing the use of snprintf() and vsnprintf() in all places where that was previously supported but not enabled. Thanks to Gregory Duchemin for discovering that some of these actually resulted in a vulnerability in versions of the DHCP suite newer than the one we're using in Owl. 2004/06/19 kernel SECURITY FIX Severity: low to high, local, active Updated to Linux 2.4.26-ow2. This fixes multiple security-related bugs in the Linux kernel (those discovered by Al Viro using "Sparse", fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some others) as well as two non-security bugs in the -ow patch itself. Which of these bugs affect a particular build of the Linux kernel depends on what drivers are compiled in (or loaded as modules). For the default kernels on Owl CDs, it's only the Intel PRO/1000 Gigabit Ethernet driver (e1000) which has a vulnerability allowing for more than a DoS attack fixed with this update. References: http://marc.info/?l=openwall-announce&m=108763826328168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0495 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0554 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0535 2004/06/09 Package: shadow-utils SECURITY FIX Severity: none to low, local, active Properly check the return value from pam_chauthtok(3) in chfn(1) and chsh(1). Previously, if chfn and/or chsh commands would be enabled for non-privileged users with control(8), it would have been possible for a logged in user with an expired password to change their "Full Name" and login shell without having to change the password. Thanks to Steve Grubb and Martin Schulze for discovering this problem. 2004/05/18 - 2004/06/09 Package: cvs SECURITY FIX Severity: none to high, remote, active Added back-ports of fixes for multiple CVS server vulnerabilities, some of which are known to be exploitable allowing for a malicious client to execute arbitrary code within the CVS server. Thanks to Stefan Esser, Sebastian Krahmer, and Derek Robert Price for finding and fixing these bugs. Despite these fixes, it should not be assumed that CVS server provides any security against a malicious client. If required, any restrictions on the actions CVS server is allowed to perform should be imposed at the OS level. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0416 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0417 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0418 2004/06/07 Package: openssh SECURITY FIX Severity: high, remote, passive Fixed directory traversal vulnerability in scp which allowed malicious SSH servers to overwrite arbitrary files on the client system. Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175 2004/06/02 Package: scanlogd chroot to /var/empty to further reduce the impact of potential bugs in scanlogd and the libraries that it uses. 2004/05/19 Packages: tcp_wrappers, openssh, xinetd Added a patch to tcp_wrappers to also build a shared version of the libwrap library. 2004/05/14 Packages: ncurses, procps Updated ncurses to 5.4 with official patches up to 20040508. 2004/05/07 Package: binutils Updated to 2.15.90.0.3. 2004/04/18 kernel; Package: owl-cdrom SECURITY FIX Severity: high, local, active Updated to Linux 2.4.26-ow1. Linux 2.4.26 (and thus 2.4.26-ow1) fixes an integer overflow vulnerability in processing of the MCAST_MSFILTER socket option discovered by Paul Starzetz. When properly exploited, the bug would lead to a local root compromise. Also included in this kernel release is a fix for the ext3/XFS information leak discovered by Solar Designer and a number of other relatively minor fixes. As it relates to Owl, the kernel image on Owl CDs will now include the Broadcom Tigon3 Gigabit Ethernet driver and the BusLogic SCSI controller driver, but will not include support for IrDA (had to drop it to make room for the extra device drivers). References: http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0424 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0133 2004/04/14 Package: cvs SECURITY FIX Severity: high, remote, passive Added a fix to the CVS client to ensure that pathnames provided by a CVS server point to within the working directory. Without this fix, a malicious CVS server could cause the CVS client to attempt to create files at arbitrary locations thus gaining control over the user account. This problem has been brought to the attention of CVS developers and distribution vendors by Sebastian Krahmer of SuSE. Additionally, CVS server has been further restricted to disallow the use of relative pathnames to view files outside of the CVS repository. However, despite this last fix, it should not be assumed that CVS server provides any security against a malicious client being able to access arbitrary files available under the privileges granted to the CVS server at the OS level. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405 2004/03/18 Package: openssl SECURITY FIX Severity: low, remote, passive to active Updated to 0.9.6m. This release of OpenSSL fixes a NULL pointer dereference during SSL handshake. If triggered, the bug would cause the remote process or thread to crash. Depending on the application this could lead to a denial of service. For the applications which are a part of Owl, it's only individual invocations of network clients which are affected and may be caused to crash by a malicious server. References: http://www.openssl.org/news/secadv_20040317.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 2004/02/20 - 2004/02/24 Packages: readline, bash, bc, gdb, lftp Updated readline to 4.3. 2004/02/18 Package: libnids Added a patch to support Prism wireless cards, by Snax of AirSnort project (http://airsnort.shmoo.com). 2004/02/15 Package: libpcap Updated to 0.8.1 2004/02/13 Package: mutt Updated to 1.4.2.1. This release of Mutt is a security fix, but Owl was not affected with its current glibc because of the lack of UTF-8 locales support. 2004/02/08 Package: SimplePAMApps In login(1) and su(1), generate ut_id's consistently with libutempter and OpenSSH (patch from Dmitry V. Levin of ALT Linux). This will make "su -" replace existing utmp entries for the duration of the su session. 2004/02/08 Package: chkconfig Updated to 1.3.9. 2004/01/20 - 2004/01/29 Packages: perl, vim Updated Perl to 5.8.3. 2004/01/21 - 2004/01/28 Packages: links, elinks Links has been replaced with ELinks 0.9.0 and further with 0.9.1. 2004/01/18 Package: owl-startup Added /sbin/service script for Red Hat Linux compatibility. Set net.ipv4.tcp_timestamps = 0 to prevent leaks of the exact system's uptime. There's a detailed comment in /etc/sysctl.conf explaining this option and possible drawbacks of having it set one way or the other. 2004/01/17 Package: procps In top, handle ticks going backwards gracefully. This may happen due to kernel and hardware issues and previously resulted in top reporting absurd idle processor time percentages under high load on SMP systems. 2004/01/14 Package: screen Updated to 4.0.2. 2004/01/10 Package: john Corrected a segfault with --stdin introduced with John 1.6.34.2. 2004/01/05 Package: sysklogd The startup script will now accept command-line options for syslogd and klogd specified in /etc/sysconfig/syslog. $Owl: Owl/doc/CHANGES-2.0,v 1.203.2.1 2011/09/07 07:23:57 solar Exp $