Page2RRS

• 07 Apr ' 21:26

  2013/04/07 Package: kernel Updated to 2.6.18-348.3.1.el5.028stab106.2. The only change from our previous kernel revision is OpenVZ's minor bugfix in NFS client code. Reference: https://openvz.org/Download/kernel/rhel5/028stab106.2 $Owl: Owl/doc/CHANGES-current,v 1.113 2013/04/08 00:54:50 solar Exp $

  Permalink  |  View Entire Page

• 22 Mar ' 01:18

  https://bugzilla.openvz.org/show_bug.cgi?id=2197 https://bugzilla.openvz.org/show_bug.cgi?id=1815 https://bugzilla.openvz.org/show_bug.cgi?id=1762 https://bugzilla.openvz.org/show_bug.cgi?id=1760 https://bugzilla.openvz.org/show_bug.cgi?id=1760 $Owl: Owl/doc/CHANGES-current,v 1.111 2013/03/22 06:25:08 solar Exp $

  Permalink  |  View Entire Page

• 19 Mar ' 02:28

  2013/03/19 Package: kernel SECURITY FIX Severity: high, local/indirect, active/passive Updated to 2.6.18-348.3.1.el5.028stab106.1. The corresponding RHEL5 kernel updates fix a number of vulnerabilities, CVE IDs for the relevant ones of which are referenced below. Most importantly, this fixes a PTRACE_SETREGS vs. process death race condition (CVE-2013-0871), which could allow a non-privileged local user to execute arbitrary code in the kernel and thus escalate their privileges to root, escape from an OpenVZ container, etc. (However, the risk probability might have been low due to the race being difficult to win.) References: http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab106.1 http://rhn.redhat.com/errata/RHSA-2013-0621.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871 http://www.openwall.com/lists/oss-security/2013/02/15/16 http://rhn.redhat.com/errata/RHSA-2013-0594.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3400 http://www.openwall.com/lists/oss-security/2012/07/03/1 http://rhn.redhat.com/errata/RHSA-2013-0168.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1568 http://www.openwall.com/lists/oss-security/2012/03/20/4 http://rhn.redhat.com/errata/RHBA-2013-0006.html http://rhn.redhat.com/errata/RHSA-2012-1540.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4508 http://www.openwall.com/lists/oss-security/2012/10/25/1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552 http://www.openwall.com/lists/oss-security/2012/08/31/11 2013/02/23 Package: glibc Backported a fix for a TLS handling bug that manifested itself as an assertion failure on startup of some third-party program binaries, as reproduced with Mozilla's build of Firefox 17.0.1: http://www.openwall.com/lists/owl-dev/2013/02/23/2 $Owl: Owl/doc/CHANGES-current,v 1.110 2013/03/19 06:07:54 solar Exp $

  Permalink  |  View Entire Page

• 22 Feb ' 20:21

  Per our current conventions, a Denial of Service (DoS) vulnerability is generally considered to have a "low" risk impact (even if it is a "remote, active" one, which is to be considered separately as it may make the vulnerability fairly critical under specific circumstances). Some examples of "medium" impact vulnerabilities would be persistent DoS (where the DoS effect does not go away with a (sub)system restart), data loss, bugs enabling non-critical information leaks, cryptographic signature forgeries, and/or sending of or accepting spoofed/forged network traffic (where such behavior was unexpected), as long as they would not directly allow for a "high" impact attack. Finally, a typical "high" impact vulnerability would allow for privilege escalation such as ability to execute code as another user ID than the attacker's (a "local" attack) or without "legitimately" having such an ability (a "remote" attack). 2013/02/22 Package: gnupg Severity: medium, indirect, passive Updated to 1.4.13. This version fixes a memory corruption bug (CVE-2012-6085). The bug allowed an attacker to crash gpg(1) and corrupt the public keyring database file. Arbitrary code execution was not possible because the attacker cannot control the corrupted data. The corrupted data is stored in the keyring file, so the DoS effect is persistent, but the keyring can be manually restored by recovering from the pubring.gpg~ backup file (which is created by gpg(1) itself). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6085https://bugzilla.redhat.com/show_bug.cgi?id=891142http://www.openwall.com/lists/oss-security/2013/01/01/6 2013/02/22 Package: kernel SECURITY FIX Severity: none to low, local/indirect, active/passive Updated to 2.6.18-308.20.1.el5.028stab104.3. Enabled CONFIG_EFI_PARTITION=y (GUID Partition Table (GPT) support) and CONFIG_SOUND=m (the sound card driver subsystem) with the same set of drivers as in RHEL5. The corresponding RHEL5 kernel updates fix a divide-by-zero flaw in the ext4 filesystem code (CVE-2012-2100), which could be triggered via a corrupted ext4 filesystem. This is only a security issue if untrusted users are permitted to mount filesystems or/and when mounting filesystems from untrusted sources; other and worse attacks are likely possible in those cases, thereby making this one fix relatively unimportant. Red Hat has also fixed a flaw in the dl2k driver (CVE-2012-2313), which is not included in our kernel builds. References: http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab104.3http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab104.2http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab104.1http://rhn.redhat.com/errata/RHSA-2012-1445.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2100 http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab103.1 http://rhn.redhat.com/errata/RHSA-2012-1174.html SECURITY FIX Severity: low/low to high, remote/local, active Updated to 2.6.18-274.18.1.el5.028stab098.1, which fixes an IGMP remote DoS over LAN (CVE-2012-0207), two ext4 filesystem local DoS flaws (CVE-2011-3638, CVE-2011-4086), and a flaw in handling of robust list pointers of user-space held futexes across execve(2) calls (CVE-2012-0028), which could be used for privilege escalation via a SUID/SGID program that is multi-threaded or/and has a memory-mapped device, file, or shared memory segment (Owl does not include such SUID/SGID programs). Introduced the previously missed RLIMIT_NPROC check into fs/compat.c: compat_do_execve() (used by 32-bit program binaries on 64-bit kernel). Introduced protection against unintended self-read by a SUID/SGID program of /proc/<pid>/mem and /proc/<pid>/*maps files, based on approaches taken in recent grsecurity patches. Made the kernel.dmesg_restrict sysctl tri-state and container-aware. Enabled CONFIG_NFSD=m, CONFIG_CIFS=m, CONFIG_NET_SCHED=y, CONFIG_NET_RADIO=y, CONFIG_PCCARD=m and lots of WiFi drivers as modules. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0207 http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4086 $Owl: Owl/doc/CHANGES-current,v 1.108 2013/02/23 00:46:06 solar Exp $

  Permalink  |  View Entire Page

• 21 Feb ' 11:01

  Permalink  |  View Entire Page

• 18 Aug ' 18:16

  2012/08/18 Package: openssl SECURITY FIX Severity: none to medium, remote, passive to active Updated to 1.0.0j. This release corrects a buffer over-read flaw in the handling of CBC mode ciphersuites in DTLS. No DTLS-using programs are included in Owl, so it'd take a third-party program to make this flaw actually triggerable on Owl. References: http://www.openssl.org/news/secadv_20120510.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333 2012/08/18 Package: xinetd SECURITY FIX Severity: none to medium, remote, active Updated to 2.3.15, which corrects an access control bypass vulnerability in the normally disabled tcpmux service. References: http://www.openwall.com/lists/oss-security/2012/05/09/5 https://bugzilla.redhat.com/show_bug.cgi?id=790940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0862 2012/08/18 Package: kernel SECURITY FIX Severity: low, local, active Updated to 2.6.18-308.11.1.el5.028stab102.1. The corresponding RHEL5 kernel update fixes a flaw in the epoll subsystem, which could be used for a local DoS attack. Other security flaws reported as fixed in the release notes referenced below do not affect Owl's builds of the kernel (they're in Xen and extended taskstats functionality, which we do not include). References: http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab102.1 http://rhn.redhat.com/errata/RHSA-2012-1061.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3375 http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab101.1 2012/08/14 Package: glibc Corrected the processing of '\x80' characters in extended DES-based crypt(3) hashes. A related issue affecting traditional DES-based crypt(3) hashes is known as CVE-2012-2143 in other projects using the same FreeSec code, but luckily in Owl we've been using this code only for the extended hashes (continuing to use upstream glibc's UFC-crypt for traditional ones), and these were only affected in terms of compatibility (with BSD/OS and certain other implementations), but not security. Hence, this is not a security fix. 2012/08/14 Package: slang Dropped S-Lang from Owl. We never made use of it in Owl itself. 2012/08/14 Package: binutils Updated to 2.23.51.0.1. 2012/07/23 Package: tcsh Updated to 6.18.01. 2012/05/12 Package: binutils Updated to 2.22.52.0.1. $Owl: Owl/doc/CHANGES-current,v 1.98 2012/08/18 21:30:11 solar Exp $

  Permalink  |  View Entire Page

• 09 May ' 09:37

  2012/05/08 Package: syslinux Updated to 4.05. 2012/05/08 Package: lftp Updated to 4.3.6. Corrected an assertion failure with torrent peer id generation when the lftp PID is above 65535. Added a patch proposed by upstream to always obtain and report exact file timestamps. $Owl: Owl/doc/CHANGES-current,v 1.91 2012/05/08 20:51:11 solar Exp $

  Permalink  |  View Entire Page

• 07 May ' 18:50

  SECURITY FIX Severity: medium/high, remote/indirect, active/passive Updated to 1.0.0i, which corrects numerous vulnerabilities discovered since 1.0.0d (the version we had in Owl-current before). The attack vectors and worst case impact of these vulnerabilities vary. The ASN1 BIO vulnerability (CVE-2012-2110) discovered by Tavis Ormandy of Google Security Team and patched specifically in the 1.0.0i release in April potentially allows for arbitrary code execution, but is not triggerable via OpenSSL's SSL/TLS code, whereas worst case impact of other vulnerabilities corrected with this update is lower. References: http://www.openssl.org/news/secadv_20120419.txthttp://lists.openwall.net/full-disclosure/2012/04/19/4http://www.openwall.com/lists/oss-security/2012/04/22/2 http://www.openwall.com/lists/oss-security/2012/04/22/3 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 http://www.openssl.org/news/secadv_20120312.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 http://www.openssl.org/news/secadv_20120104.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 http://www.openssl.org/news/secadv_20110906.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207 SECURITY FIX Severity: none to high, local, active http://www.openwall.com/lists/oss-security/2012/01/04/18 http://www.openwall.com/lists/oss-security/2012/05/08/1 https://bugzilla.redhat.com/show_bug.cgi?id=771764 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0028 $Owl: Owl/doc/CHANGES-current,v 1.88 2012/05/08 01:22:51 solar Exp $

  Permalink  |  View Entire Page

• 07 May ' 01:35

  2012/05/06 Package: openssl Updated to 1.0.0i. 2012/05/06 Package: kernel SECURITY FIX Severity: low to high, local, active Updated to 2.6.18-308.4.1.el5.028stab100.2, which includes a fix for excessive in-kernel CPU time consumption when creating large nested epoll structures (CVE-2011-1083) as reported by Nelson Elhage. Corrected an Owl-specific mm (memory) leak and a reference count overflow possibility (with non-obvious impact) that was inadvertently introduced in 2.6.18-274.18.1.el5.028stab098.1.owl1 and which could be triggered on i686 (not x86_64) on read attempts from /proc/<pid>/*maps by other than the same program instance that opened these special files. Reverted the dmesg_restrict sysctl tri-state feature in favor of the approach taken by OpenVZ. References: http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab100.2 http://wiki.openvz.org/Download/kernel/rhel5-testing/028stab099.4 http://wiki.openvz.org/Download/kernel/rhel5/028stab099.3 http://rhn.redhat.com/errata/RHSA-2012-0150.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1083 http://www.openwall.com/lists/oss-security/2011/03/02/1 http://www.openwall.com/lists/oss-security/2011/03/02/2 http://bugzilla.openvz.org/show_bug.cgi?id=2197 2012/05/02 Package: strace Updated to 4.7. 2012/04/22 Package: hdparm Updated to 9.39, added packaging of the wiper.sh script (SSD trimming). 2012/03/03 Package: gcc Updated to 4.6.3. $Owl: Owl/doc/CHANGES-current,v 1.86 2012/05/06 22:45:30 solar Exp $

  Permalink  |  View Entire Page

• 25 Feb ' 08:59

  2012/02/25 Package: kernel Updated to 2.6.18-274.18.1.el5.028stab098.1. Introduced the previously missed RLIMIT_NPROC check into fs/compat.c: compat_do_execve() (used by 32-bit program binaries on 64-bit kernel). Introduced protection against unintended self-read by a SUID/SGID program of /proc/<pid>/mem and /proc/<pid>/*maps files, based on approaches taken in recent grsecurity patches. Made the kernel.dmesg_restrict sysctl tri-state and container-aware. Enabled CONFIG_NFSD=m, CONFIG_CIFS=m, CONFIG_NET_SCHED=y, CONFIG_NET_RADIO=y, CONFIG_PCCARD=m and lots of WiFi drivers as modules. References: http://wiki.openvz.org/Download/kernel/rhel5/028stab098.1 http://rhn.redhat.com/errata/RHSA-2012-0107.html http://www.openwall.com/lists/oss-security/2012/02/08/2 2012/02/18 Package: glibc Enabled building of UTF-8 locales by default (adds 6.5 MB to glibc .rpm package size and 36 MB to installed system size on a filesystem with 4 KB blocks, unfortunately). 2012/02/12 - 2012/02/18 Package: gcc; Owl/build/.rpmmacros Enabled -Wl,-z,relro and -Wl,-z,now by default as a security hardening measure, rebuilt all packages. In most cases the performance impact is non-existent or negligible. To disable these options (for whatever reason), pass -Wl,-z,norelro and -Wl,-z,lazy to gcc, respectively. Note: ld(1) still uses -z norelro and -z lazy by default; only gcc's defaults are changed. (We already had -Wl,-z,relro in Owl/build/.rpmmacros since 2011/11/04; now that change is reverted in favor of gcc's change of default, and we've also added -Wl,-z,now.) References: http://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/ http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html $Owl: Owl/doc/CHANGES-current,v 1.80 2012/02/25 08:27:04 solar Exp $

  Permalink  |  View Entire Page

Search the Site

Custom Search

Blog · Discussion Group · Webmaster Tools · Advertising · Privacy Policy · Terms of Service