This file lists all significant changes made between the Owl 3.1 branch point (off Owl-current) and the current state of the 3.1-stable branch. The dates shown in braces indicate when an equivalent change went into Owl-current, where applicable. Note that although the 3.1 branch point was created in mid-2014, Owl 3.1 was never released (nor was it intended to be) and the Owl 3.1-stable branch was only released in January 2015. Security fixes have a "Severity" specified for the issue(s) being fixed. The three comma-separated metrics given after "Severity:" are: risk impact (low, medium, or high), attack vector (local, remote, or indirect), and whether the attack may be carried out at will (active) or not (passive). Please note that the specified risk impact is just that, it is not the overall severity, so other metrics are not factored into it. For example, a "high" impact "local, passive" issue is generally of lower overall severity than a "high" impact "remote, active" one - this is left up to our users to consider given their specific circumstances. Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be persistent DoS (where the DoS effect does not go away with a (sub)system restart), data loss, bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack). The metrics specified are generally those for a worst case scenario, however in certain cases ranges such as "none to low" or/and "local to remote" may be specified, referring to the defaults vs. a worst case yet "legitimate" custom configuration. In some complicated cases, multiple issues or attacks may be dealt with at once. When those differ in their severity metrics, we use slashes to denote the possible combinations. For example, "low/none to high, remote/local" means that we've dealt with issue(s) or attack(s) that are "low, remote" and those that are "none to high, local". In those tricky cases, we generally try to clarify the specific issue(s) and their severities in the description. Changes made between Owl 3.1 and Owl 3.1-stable. (2020/05/19) 2020/05/20 Package: kernel SECURITY FIX Severity: high, local, active Merged the most relevant fixes from RHEL5's -436, including for the following local vulnerabilities: use-after-free in sys_mq_notify() allowing for a local root compromise and container escape by any user (CVE-2017-11176), divide-by-zero in __tcp_select_window() allowing for a local DoS (CVE-2017-14106), use-after-free in ALSA allowing for a local root compromise by a host user in group "audio" if the vulnerable kernel module is loaded (CVE-2017-15265). Also fixed is an inconsistency in modify_ldt(2)'s memory (de)allocation, which got introduced along with KPTI in our update to -431 and is known as Red Hat's "bug 1584622" and might have had local security impact. References: https://access.redhat.com/errata/RHSA-2018:3822 https://access.redhat.com/errata/RHSA-2018:2172 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14106 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15265 https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html (2018/07/03) 2018/07/03 Package: gnupg SECURITY FIX Severity: medium, local/indirect, passive Updated to 1.4.23, which, compared to 1.4.21, fixes a side-channel leak (CVE-2017-7526) and a bypass of signature verification in third-party programs that invoke GnuPG (CVE-2018-12020). References: http://www.openwall.com/lists/oss-security/2017/07/06/8 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526 http://www.openwall.com/lists/oss-security/2018/06/08/2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 (2018/06/28) 2018/07/03 Package: kernel Fixed a regression introduced with the previous update (to -431) where some 32-bit syscalls would fail with EFAULT on a 64-bit kernel because of improper alignment of the newly introduced KAISER/KPTI trampoline stack. This fix is due to investigation and patch by Pavel Kankovsky and bug report by Chris Bopp. (2018/05/23) 2018/05/23 Packages: procps, procps-ng SECURITY FIX Severity: high, local, passive Replaced procps with procps-ng 3.3.14 plus all Qualys patches fixing a number of issues that Qualys found during their security audit, including some issues that might have allowed successful attacks on a user (or root) invoking top(1) or other procps programs. References: http://www.openwall.com/lists/oss-security/2018/05/17/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1122 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1123 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1124 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1125 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1126 (2018/05/21) 2018/05/22 Package: kernel SECURITY FIX Severity: low to high, local, active Updated to 2.6.18-431.el5.028stab123.1. This is a belated (with Owl being barely on life support at this point) addition of kernel page table isolation (KPTI) on x86-64 (only) as a software fix for Meltdown (CVE-2017-5754) - an issue that allowed userspace processes to read kernel memory (except on AMD CPUs). Also included is a fix for the "POP SS" vulnerability (CVE-2018-8897), which allowed for a local DoS attack. However, this update does not mitigate the set of CPU vulnerabilities known as Spectre, although the exposure to them might be lower than it is in newer kernels because of the lack of eBPF. References: https://meltdownattack.com https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html http://www.openwall.com/lists/oss-security/2018/05/08/4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897 (2017/10/25) 2018/05/22 Package: glibc SECURITY FIX Severity: none to high, remote, active Backported upstream fix for the recently discovered glob heap buffer overflow (CVE-2017-15670) and while at it also for integer overflows in pvalloc, valloc, posix_memalign/memalign/aligned_alloc (CVE-2013-4332). References: http://www.openwall.com/lists/oss-security/2017/10/21/5 https://sourceware.org/bugzilla/show_bug.cgi?id=22320 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670 http://www.openwall.com/lists/oss-security/2013/09/12/6 https://sourceware.org/bugzilla/show_bug.cgi?id=15855 https://sourceware.org/bugzilla/show_bug.cgi?id=15856 https://sourceware.org/bugzilla/show_bug.cgi?id=15857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4332 (2017/10/19) 2017/10/21 Package: kernel SECURITY FIX Severity: none to high, local, active Updated to 2.6.18-419.el5.028stab122.4. This addresses the issue of Position Independent Executables' (PIE) data potentially overlapping in memory with their stack areas (CVE-2017-1000253). (Un)fortunately, on Owl we do not yet build our SUID/SGID binaries as PIE (which would be a security enhancement if it were not for this issue), so this did not affect Owl itself, but it could affect third-party SUID/SGID binaries installed on Owl (including e.g. as part of third-party distros in containers). The many other security issues also addressed with this upstream update, as compared to the much older upstream revision we built upon previously, had already been fixed or worked around in prior kernel updates for Owl. References: http://www.openwall.com/lists/oss-security/2017/09/26/16 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000253 https://openvz.org/Download/kernel/rhel5/028stab122.4 https://openvz.org/Download/kernel/rhel5/028stab122.3 https://openvz.org/Download/kernel/rhel5/028stab122.2 https://openvz.org/Download/kernel/rhel5/028stab122.1 https://openvz.org/Download/kernel/rhel5/028stab120.3 https://openvz.org/Download/kernel/rhel5/028stab120.2 (2017/06/19) 2017/06/29 Package: kernel SECURITY FIX Severity: none to high, local, active On SUID/SGID exec, limit the size of argv+envp to 512 KiB and the stack size to 10 MiB, similarly to what grsecurity did in 2012. This prevents some of the stack/heap clash attacks described by Qualys, while some others were already prevented for years by our glibc hardening changes. References: http://www.openwall.com/lists/oss-security/2017/06/19/1 https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash (2017/06/15) 2017/06/29 Package: db4 SECURITY FIX Severity: medium to high, local, active Don't open the DB_CONFIG file in the current directory. This unexpected property of db4 could have allowed for local DoS, information leaks, and privilege escalation via programs using db4, including Postfix. Reference: http://www.openwall.com/lists/oss-security/2017/06/15/3 (2017/06/08) 2017/06/29 Package: kernel Backported upstream reimplementation of restricted hard links, controllable via the fs.protected_hardlinks sysctl and enabled by default, similar to what we had as part of CONFIG_HARDEN_LINK in -ow patches and what grsecurity had as part of CONFIG_GRKERNSEC_LINK. This reinforces the group crontab vs. root privilege separation in our package of ISC/Vixie Cron. Reference: http://www.openwall.com/lists/oss-security/2017/06/08/3 (2017/04/02) 2017/04/02 Package: kernel SECURITY FIX Severity: high, local, active Merged upstream fix to locking in net/ipv4/ping.c: ping_unhash(), where the race condition could have been exploited by container root into e.g. container escape. Without a vulnerability in ping(1), the issue was not triggerable by non-root users (neither host nor container). References: http://www.openwall.com/lists/oss-security/2017/03/24/6 http://lists.openwall.net/netdev/2017/03/25/16 (2017/01/25) 2017/01/25 Package: kernel SECURITY FIX Severity: high, local, active Merged in a fix of use-after-free in the recvmmsg() exit path (CVE-2016-7117) from Red Hat's -417. The vulnerability appears likely to be exploitable locally. Remote exploitation might be possible as well, but would require specific (unlikely?) behavior of a service. References: https://blog.lizzie.io/notes-about-cve-2016-7117.html https://access.redhat.com/security/cve/cve-2016-7117 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7117 (2016/12/10) 2016/12/11 Package: kernel Merged in Red Hat's CVE-2016-5195 "Dirty COW" fix while also keeping the mitigation introduced in Owl earlier. In the kernel build for x86-64, bumped up the maximum number of logical CPUs from 32 to 96, enabled support for NUMA, huge pages, hugetlbfs, modules for I2C and many sensors (similar to what's enabled in RHEL) and CPU microcode update. (2016/10/23) 2016/10/24 Package: kernel SECURITY FIX Severity: high, local, active Added a mitigation for the "Dirty COW" Linux kernel privilege escalation vulnerability (CVE-2016-5195). References: http://www.openwall.com/lists/oss-security/2016/10/21/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195 (2016/10/17 - 2016/10/21) 2016/10/24 Package: bind SECURITY FIX Severity: low, remote, active Merged multiple DoS vulnerability fixes from Red Hat's package, most notably for two easily triggerable assertion failures (CVE-2016-2776, CVE-2016-2848). References: http://www.openwall.com/lists/oss-security/2016/09/27/8 https://kb.isc.org/article/AA-01419 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776 http://www.openwall.com/lists/oss-security/2016/10/20/7 https://kb.isc.org/article/AA-01433/74/CVE-2016-2848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848 (2016/08/23) 2016/08/23 Package: openssh Backported upstream fix for a use-after-free in sshd's debugging output, with no known security impact. (2016/08/23) 2016/08/23 Package: openssl SECURITY FIX Severity: none to high, remote, active Updated to 1.0.0t, which fixes the "X509_ATTRIBUTE memory leak" (CVE-2015-3195) and "Race condition handling PSK identify hint" (CVE-2015-3196) vulnerabilities. Neither of these affects the uses of OpenSSL in Owl, but third-party applications using Owl's OpenSSL might be affected. The "high" impact potential is for the double-free possibility mentioned in the OpenSSL advisory, even though the OpenSSL team has rated the corresponding issue as "low" overall severity (possibly considering its low risk probability, or/and other mitigating factors). This Owl package update also adds a CA certificate bundle. Reference: https://www.openssl.org/news/secadv/20151203.txt (2016/08/23) 2016/08/23 Package: kernel SECURITY FIX Severity: low, local, active Updated to 2.6.18-408.el5.028stab120.1, which addresses several DoS vulnerabilities, and additionally fixed a kernel panic triggerable via the move_pages() syscall. Reference: https://openvz.org/Download/kernel/rhel5-testing/028stab120.1 (2016/08/23) 2016/08/23 Package: gnupg SECURITY FIX Severity: medium, remote, passive Updated to 1.4.21, which, compared to 1.4.18, fixes side-channel leaks (CVE-2014-3591, CVE-2015-0837) and a bug in the random number generator where an attacker who obtains 4640 bits from the RNG could trivially predict the next 160 bits of output (CVE-2016-6313). References: https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html http://www.openwall.com/lists/oss-security/2016/08/17/8 https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html http://www.cs.tau.ac.il/~tromer/radioexp/ (2016/07/20) 2016/08/23 Package: passwdqc In version 1.3.1, fixed a bug in pam_passwdqc's rarely used "non-unix" option. The bug existed since passwdqc 1.1.3, released in 2009. Reference: http://www.openwall.com/lists/announce/2016/07/22/1 (2015/02/24 - 2016/07/08) 2016/08/23 Package: john The development changes in JtR, from version 1.8.0.2 to version 1.8.0.9, have now been included in Owl 3.1-stable because they include bug fixes. (2015/08/01) 2015/08/01 Package: openssl SECURITY FIX Severity: none to medium, remote, passive to active Updated to 1.0.0s, which fixes many Low and Moderate severity issues (per OpenSSL's classification), as well as one High severity issue in the client: silent downgrades of RSA to EXPORT_RSA (CVE-2015-0204), with the corresponding attack known as FREAK. References: https://www.openssl.org/news/secadv_20150108.txt https://www.openssl.org/news/secadv_20150319.txt https://www.openssl.org/news/secadv_20150611.txt https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 https://freakattack.com https://en.wikipedia.org/wiki/FREAK (2015/07/31) 2015/07/31 Package: bind SECURITY FIX Severity: low, remote, active Merged multiple DoS vulnerability fixes from Red Hat's package, most notably for the easily triggerable error in handling of TKEY queries (CVE-2015-5477). References: http://www.openwall.com/lists/oss-security/2015/07/29/3 https://kb.isc.org/article/AA-01272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477 (2015/06/11) 2015/06/11 Package: kernel SECURITY FIX Severity: high, local, active Fixed OpenVZ container filesystem (simfs) escape vulnerability via bind mounts (CVE-2015-2925). References: https://bugs.openvz.org/browse/OVZ-6296 http://www.openwall.com/lists/oss-security/2015/04/03/7 https://access.redhat.com/security/cve/CVE-2015-2925 https://bugzilla.redhat.com/show_bug.cgi?id=1209367 (2015/06/09) 2015/06/09 Package: kernel SECURITY FIX Severity: high, local, active Updated to 2.6.18-406.el5.028stab119.1. Most importantly, this fixes a possible I/O vector array overrun, which could allow for local privilege escalation (CVE-2015-1805). References: https://openvz.org/Download/kernel/rhel5-testing/028stab119.1 http://rhn.redhat.com/errata/RHSA-2015-1042.html http://www.openwall.com/lists/oss-security/2015/06/06/2 https://openvz.org/Download/kernel/rhel5/028stab118.1 http://rhn.redhat.com/errata/RHSA-2015-0164.html (2015/01/28) 2015/01/28 Package: glibc SECURITY FIX Severity: none to high, remote, active Backported upstream's fix for a buffer overflow in gethostbyname*() functions, which could be triggered via a crafted IP address argument. Depending on the application that uses these functions, this vulnerability could allow a local or a remote attacker to execute arbitrary code. Due to the analysis by Qualys (referenced below), it is known that the issue could be exploited remotely via Exim (which we do not include in Owl) or locally via clockdiff or procmail if these are installed SUID/SGID or with filesystem capabilities (not the case on Owl). While there's no known security impact on Owl itself, Owl with third-party software added (as many real-world installs have) may be affected, with worst-case impact ranging up to a remote root compromise. References: http://www.openwall.com/lists/oss-security/2015/01/27/9 https://blog.qualys.com/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability https://sourceware.org/bugzilla/show_bug.cgi?id=15014 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 (2015/01/04) 2015/01/04 Package: openssl SECURITY FIX Severity: none to medium, remote, active Updated to 1.0.0o, which fixes "Information leak in pretty printing functions" (CVE-2014-3508), "Race condition in ssl_parse_serverhello_tlsext" (CVE-2014-3509), "Session Ticket Memory Leak" (CVE-2014-3567), and adds support for "SSL 3.0 Fallback protection" to let applications mitigate POODLE (CVE-2014-3566). References: https://www.openssl.org/news/secadv_20140806.txt https://www.openssl.org/news/secadv_20141015.txt (2015/01/04) 2015/01/04 Package: bash Updated to 3.1 patchlevel 23. (2015/01/04) 2015/01/04 Package: help2man New package: help2man, which creates simple man pages from the output of programs. It currently generates the diff(1) man page during Owl build. (2014/12/28) 2015/01/03 Package: kernel SECURITY FIX Severity: none to high, local, active Updated to 2.6.18-400.el5.028stab117.2, which most importantly fixes a local privilege escalation vulnerability on x86-64 (CVE-2014-9322). References: https://openvz.org/Download/kernel/rhel5/028stab117.2 http://www.openwall.com/lists/oss-security/2014/12/15/6 https://rhn.redhat.com/errata/RHSA-2014-2008.html https://rhn.redhat.com/errata/RHSA-2014-1959.html https://openvz.org/Download/kernel/rhel5/028stab116.1 https://rhn.redhat.com/errata/RHBA-2014-1196.html https://rhn.redhat.com/errata/RHSA-2014-1143.html https://rhn.redhat.com/errata/RHSA-2014-0926.html (2014/10/25) 2015/01/03 Package: tzdata Updated to 2014i. (2014/09/25 - 2014/09/27) 2015/01/03 Package: bash SECURITY FIX Severity: none to high, remote, active Updated to 3.1 patchlevel 19 with additional patches by Florian Weimer of Red Hat. This fixes vulnerabilities with and introduces security hardening of function imports, which could in many setups be exploited remotely. References: http://www.openwall.com/lists/oss-security/2014/09/24/10 http://www.openwall.com/lists/oss-security/2014/09/24/11 http://www.openwall.com/lists/oss-security/2014/09/24/40 http://www.openwall.com/lists/oss-security/2014/09/25/5 http://www.openwall.com/lists/oss-security/2014/09/25/13 http://www.openwall.com/lists/oss-security/2014/09/25/32 http://www.openwall.com/lists/oss-security/2014/09/26/2 http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html https://access.redhat.com/blogs/766093/posts/1976383 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 $Owl: Owl/doc/CHANGES-3.1-stable,v 1.1.2.26 2020/05/20 14:30:06 solar Exp $