|
|
This file lists the major changes made between Owl releases. While
some of the changes listed here may also be made to a stable branch,
the complete lists of stable branch changes are included with those
branches and as errata for the corresponding Owl releases only.
This is very far from an exhaustive list of changes. Small changes to individual packages won't be mentioned here unless they fix a security or a critical reliability problem. They are, however, mentioned in change logs for the packages themselves.
Changes made between Owl 1.1 and Owl 2.0.
2006/01/18 Package: strace Updated to 4.5.14.
2006/01/18 Package: pam Updated to 0.99.3.0.
2006/01/18 Package: libutempter Updated to 1.1.4.
2006/01/14 Package: nmap Updated to 3.95.
2006/01/07 - 2006/01/11 Package: bash Updated to 3.1 patchlevel 5.
2006/01/05 Package: postfix Updated to 2.2.8.
2006/01/05 Package: glibc SECURITY FIX Severity: none to low, N/A, N/A Corrected a bug in the way salts for extended DES-based and for MD5-based password hashes are generated with the crypt_gensalt*() family of functions; thanks to Marko Kreen for discovering and reporting this. The bug would result in a higher than expected number of matching salts with large numbers of password hashes of the affected types generated on an Owl system through a mechanism that uses the affected glibc functions (such as pam_tcb). If the password hashes would ever be compromised (e.g., by exploiting another vulnerability), it would be possible to test candidate passwords against them at a faster effective rate because of this bug. The Blowfish-based (bcrypt) hashes that Owl has always been using by default and the traditional DES-based crypt(3) hashes were not affected.
2005/12/30 Package: dialog Updated to 1.0-20051219.
2005/12/27 Package: pam Updated to 0.99.2.1. Moved pam_stack into a new pam-compat subpackage.
2005/12/27 Package: tcb Implemented OpenPAM support. Updated pam_tcb to use new interfaces provided by Linux-PAM >= 0.99.1.0.
2005/12/26 Package: diffstat Updated to 1.41.
2005/12/26 Package: hdparm Updated to 6.3.
2005/12/25 Package: man Updated to 1.6b.
2005/12/24 Package: gcc Updated to 3.4.5.
2005/12/24 Packages: db4, pam, perl, postfix; Owl/build/{installorder.conf,installworld.sh} Updated db4 to 4.2.52.
2005/12/24 Package: chkconfig Updated to 1.3.25.
2005/12/23 Packages: libnet, libnids; Owl/build/installorder.conf Updated libnet to 1.1.3-RC-01 and libnids to 1.20.
2005/12/18 Package: vim Updated to 6.4 patchlevel 4.
2005/10/09 - 2005/12/16 Package: john The handling of LM hashes has been enhanced to use case insensitive comparisons of the encodings when eliminating duplicate and already-cracked hashes at load time and when displaying cracked passwords. The way nouns ending in "z" and "h" are pluralized with the "p" wordlist rules command has been corrected. A workaround for OpenAFS has been added to unafs. Any charset file changes will now be detected when restoring sessions. The supplied charset files and password.lst have been updated. A new pre-defined "incremental" mode "Alnum" (for alphanumeric) has been added. A bug with the handling of break statements with nested loops in the external mode compiler has been fixed.
2005/12/13 Package: postfix Updated to 2.2.7.
2005/12/11 Package: man-pages; Owl/build/installorder.conf Updated to 2.16, including the addition of POSIX man pages in their own subpackage.
2005/12/08 Package: findutils Updated to 4.2.27.
2005/12/06 Package: perl
Backported upstream fix for a potential integer overflow in perl format
string functionality. Third-party software which passes untrusted input
into format strings may allow attackers to overwrite arbitrary memory
in the Perl interpreter and possibly execute arbitrary code via format
string specifiers with large values.
Reference:
2005/11/27 Package: vsftpd Updated to 2.0.3.
2005/11/26 kernel Updated to Linux 2.4.32-ow1.
2005/11/22 Package: gnupg Updated to 1.4.2.
2005/11/18 Package: libpcap Updated to 0.9.4.
2005/11/16 Package: cpio SECURITY FIX Severity: high, local, passive
Backported upstream fix for a potential stack-based buffer overflow in
cpio. When cpio is used by a privileged user to archive files created
by a less privileged user, it is possible to overflow a buffer on the
stack with a very large sparse file. This issue only affects 64-bit
platforms.
Reference:
2005/11/16 Package: grep Updated to 2.5.1a.
2005/11/14 Packages: traceroute, iputils; Owl/build/installorder.conf Replaced traceroute with Olaf Kirch's implementation. Packaged traceroute6 binary within traceroute package.
2005/11/14 Package: cvs Updated to 1.11.21.
2005/11/13 Package: postfix Introduced "postqueue" control(8) facility to restrict queue views and runs.
2005/11/12 Package: tar Updated to 1.15.1 with backported fixes from tar CVS and patches from ALT Linux and Debian.
2005/11/12 Package: quota Updated to 3.13.
2005/11/12 Package: patch Updated to 2.5.9.
2005/11/12 Package: sed Updated to 4.1.4.
2005/11/11 Package: indent New package: a program for formatting C source code.
2005/11/09 Package: glibc Updated to 2.3.6.
2005/11/08 Packages: tinycdb, pcre, postfix, nmap New packages: constant database library, Perl-compatible regular expression library. Enabled CDB database type and PCRE lookup tables support in Postfix.
2005/11/07 Package: coreutils Updated to 5.93.
2005/10/30 Package: procmail Updated to 3.22 with patches from ALT Linux and Debian. Fixed a procmail bug which could result in mailbox corruption when running into a disk quota or a full partition.
2005/10/29 Packages: openssh, pam, popa3d, shadow-utils, SimplePAMApps, vixie-cron, vsftpd Changed PAM config files to use new "include" directive.
2005/10/26 Package: modutils Integrated module-init-tools for Linux 2.6.x readiness, based on patches from ALT Linux.
2005/10/24 Package: SysVinit Updated to 2.86.
2005/10/23 Package: file Updated to 4.16.
2005/10/23 Package: strace SECURITY FIX Severity: high, local, passive Applied upstream fix for a potential buffer overflow in printpathn(). When "strace -p" is used by a privileged user to attach to a less privileged process, the latter may overflow a static fixed-size buffer with arbitrary data of arbitrary length.
2005/10/23 Package: zlib Updated to 1.2.3.
2005/10/23 Package: coreutils Updated to 5.92.
2005/10/23 Package: net-tools Updated to 1.60.
2005/10/22 Package: m4 Updated to 1.4.4.
2005/10/21 Package: lilo Updated to 22.7.1 with added patches both to LILO itself and to the mkrescue(8) script.
2005/10/20 Package: kbd Updated to 1.12.
2005/10/20 Packages: openntpd, owl-etc; Owl/build/installorder.conf New package: OpenNTPD is an NTP time synchronization server and client.
2005/10/20 Packages: setarch, sparc32; Owl/build/installorder.conf sparc32 has been replaced with setarch, which is not limited to the SPARC architecture. setarch is an utility to set machine sub-architecture type and Linux kernel personality flags for individual program invocations.
2005/10/20 Package: silo Updated to 1.4.9.
2005/10/20 Package: elfutils-libelf Updated to 0.115.
2005/10/17 Package: rpm Changed package upgrade algorithm to remove old files on "-U --force" even if package versions match. When comparing package versions on -U or -F, take build dates into account.
2005/10/11 Package: openssl SECURITY FIX Severity: low, remote, active
Applied upstream fix for potential SSL 2.0 rollback during SSL handshake.
Applications using either SSL_OP_MSIE_SSLV2_RSA_PADDING or SSL_OP_ALL
option miss a verification step in the SSL 2.0 server supposed to prevent
active protocol-version rollback attacks. With this verification step
disabled, an attacker acting as a "man in the middle" can force a client
and a server to negotiate the SSL 2.0 protocol even if these parties
both support SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have
severe cryptographic weaknesses and is supported as a fallback only.
References:
2005/09/30 Package: tcsh Updated to 6.14.00.
2005/09/29 Package: cvs Updated to 1.11.20 with many patches, primarily from ALT Linux.
2005/09/24 Packages: bind, owl-etc; Owl/build/installorder.conf New package: the ISC BIND server.
2005/09/21 Package: cdk New package: CDK is a widget set developed on top of ncurses.
2005/09/17 Package: findutils Updated to 4.2.25.
2005/09/14 Package: util-linux SECURITY FIX Severity: none to high, local, active
Applied upstream fix to umount(8) to avoid unintentional grant of
privileges by "umount -r". This only affected systems which made
umount available to non-root users with control(8) (by default, only
root can invoke umount) and specified any filesystems with restrictive
flags (such as nosuid or nodev) as user-mountable.
References:
2005/09/05 Package: john All of the documentation has been updated to apply to the current version. The old John the Ripper 1.6 documentation has been removed.
2005/08/30 Package: procps Updated to 3.2.5.
2005/08/23 Packages: pam, tcb, SimplePAMApps; Owl/build/installorder.conf Updated PAM to 0.80. No longer build pam_pwdb, the tcb package will provide compatibility symlinks instead.
2005/08/18 Package: libutempter Updated to 1.1.3.
2005/08/18 Package: sysklogd Applied fixes from CVS snapshot 20050525, imported a few patches from ALT Linux.
2005/08/11 Package: postfix Updated to 2.2.5.
2005/08/10 Package: strace Updated to 4.5.13.
2005/08/08 Package: mtree Updated to version from current OpenBSD (post-3.7). Fixed a number of bugs in mtree spec file creation and parsing, including with processing of filenames starting with the hash character ('#') or containing glob(3) wildcard characters, of comment lines ending with a backslash ('\\'), and of files not ending with a linefeed.
2005/08/03 - 2005/08/08 Package: owl-setup; Owl/doc/INSTALL The shell scripts based Owl setup utility has finally been replaced by the new installer written in C++. There are two programs: "setup", which may be used to (re-)configure the current system (whether CD-booted or installed on a hard drive), and "settle", the Owl installer to be run off an Owl CD to install Owl on a hard drive.
2005/07/28 Package: openssh Added delayed compression support for SSH protocol 2 (a back-port of the changes committed into the OpenBSD CVS repository recently), enabled in sshd by default. With the new default setting, sshd will only allow for compression to be enabled after authentication. Unfortunately, this requires SSH client support as well, meaning that old SSH protocol 2 clients will be unable to use compression with our new sshd at its default setting. SSH protocol 1 has always insisted on authentication prior to compression and thus is unaffected by this change. The rationale for the change is to reduce the exposure of potential vulnerabilities in the code associated with compression (in OpenSSH itself and in zlib). Thanks to Markus Friedl for working on this and for bringing it to our attention.
2005/07/07 Package: lilo Updated to 22.7.
2005/06/30 Package: postfix Updated to 2.2.4.
2005/06/28 Package: xinetd Updated to 2.3.13.
2005/06/25 kernel Updated to Linux 2.4.31-ow1.
2005/06/24 - 2005/06/25 Packages: elinks, lftp, mtree, mutt, nmap, openssh, openssl Updated openssl to 0.9.7g.
2005/06/21 Package: vixie-cron Implemented PAM accounting and session management support.
2005/06/11 - 2005/06/21 Package: findutils Updated to 4.2.23.
2005/06/14 Packages: elfutils-libelf, ltrace New package: elfutils-libelf provides a library for reading and writing ELF files on a high level. Updated ltrace to 0.3.36 (making use of libelf). This makes ltrace work for program binaries built with recent versions of binutils.
2005/06/11 Package: strace Updated to 4.5.12.
2005/05/28 - 2005/05/29 Packages: binutils, gdb SECURITY FIX Severity: high, local, passive
Updated binutils to 2.15.94.0.2.2 and gdb to 6.3. Added sanity
checks to BFD library and readelf utility to avoid integer overflows
(where a specially crafted object file may lead to a heap-based buffer
overflow), fixes for potential stack-based buffer overflows in
readelf utility, and a fix for the .gdbinit issue in gdb.
References:
2005/05/26 Package: libtool Updated to 1.5.18.
2005/05/26 Package: lftp Updated to 2.6.12.
2005/05/20 Packages: gzip, bzip2; Owl/build/installorder.conf SECURITY FIX Severity: high, local, passive
Updated gzip to 1.3.5. Added fixes for directory traversal in
gunzip (where a malicious gzipped file could specify file name
to be extracted to outside of the intended directory tree when
gunzip was used with the -N option), for race condition in the file
permission handling code of gzip and gunzip, and fix of zgrep and
bzgrep utilities to properly sanitize arguments.
References:
2005/05/17 Package: diffutils Updated to 2.8.7.
2005/05/06 - 2005/05/16 Package: bzip2 Updated to 1.0.3.
2005/05/15 Package: glibc Updated to 2.3.5 with post-release changes from 2.3-branch, patches from ALT Linux, Red Hat Fedora, and SuSE, and with our modifications.
2005/04/16 - 2005/05/15 kernel SECURITY FIX Severity: high, local, active
Updated to Linux 2.4.30-ow1 and later to 2.4.30-ow3. Linux 2.4.30
(and thus 2.4.30-ow1) includes a hardening change which makes the ELF
core dump vulnerability discovered by Paul Starzetz unexploitable.
Linux 2.4.30-ow3 includes a real fix for said vulnerability.
References:
2005/05/05 - 2005/05/11 Package: cpio SECURITY FIX Severity: high, local, passive
Updated to 2.6. Added fixes for directory traversal (where a
malicious archive could specify files to be extracted to outside of
the intended directory tree) and for certain race condition issues.
References:
2005/05/07 Packages: coreutils, fileutils, sh-utils, textutils, shadow-utils; Owl/build/installorder.conf Replaced fileutils, sh-utils, and textutils with coreutils (a recent CVS snapshot, post-5.3.0, with patches as maintained in ALT Linux Sisyphus).
2005/04/30 Package: bison Updated to 2.0.
2005/04/25 Packages: automake, patchutils Updated automake to 1.9.5.
2005/04/25 Package: texinfo Updated to 4.8.
2005/02/28 - 2005/04/20 Package: john Implemented a number of bitslice DES set_key*() optimizations resulting in speedups for LM hashes, as well as for traditional DES-based crypt(3) hashes when only a handful of hashes are loaded.
2005/04/10 Package: dhcp dhcpd(8) and dhcrelay(8) will now drop privileges by default (rather than only when the appropriate command line options are given). Previously, they would fail to work when no privilege reduction was requested (a bug).
2005/03/28 Package: telnet SECURITY FIX Severity: high, remote, passive
Corrected the slc_add_reply() and env_opt_add() buffer overflows which
might have allowed a malicious Telnet server to execute arbitrary
machine code within the context of the telnet client process used to
connect to the server.
References:
2005/03/25 Package: e2fsprogs Updated to 1.37.
2005/03/14 Package: vixie-cron Updated to 4.1 as found in OpenBSD CVS snapshot dated 2004/09/16, with further modifications by Owl and ALT Linux teams. This package now also provides at(1) and related commands.
2005/03/05 Package: iproute2
Added a patch to support HTB qdisc, see tc-htb(8) man page.
Reference:
2005/02/22 - 2005/03/03 Package: glibc The OpenBSD-derived strlcpy(3) and strlcat(3) functions are now included in libc_nonshared.a such that they're available with dynamic linking but are nevertheless linked in statically in order to make sure that no programs become dependent on the presence of these extensions in the shared library. The strlcpy(3) and strlcat(3) man pages have been added.
2005/02/19 - 2005/02/21 Package: psmisc Updated to 21.5.
2005/02/06 Package: perl SECURITY FIX Severity: low, local, passive
Corrected File::Path::rmtree to never make directories and files
world-read/writable and updated its documentation to reflect the
remaining security and reliability problems. Thanks to Jeroen van
Wolffelaar for discovering this problem and reporting it to Debian.
Reference:
2005/02/06 Package: cpio SECURITY FIX Severity: low, local, passive
Obey the current umask when creating output files; previously, the
files would be created with mode 666. Thanks to Mike O'Connor for
bringing this up.
Reference:
2005/01/20 kernel SECURITY FIX Severity: high, local, active
Updated to Linux 2.4.29-ow1. Linux 2.4.29, and thus 2.4.29-ow1, adds
a number of security fixes, including to the x86/SMP page fault
handler and the uselib(2) race conditions, both discovered by Paul
Starzetz. The potential of these bugs is a local root compromise.
The uselib(2) bug does not affect default builds of Linux kernels with
the Openwall patch applied since the vulnerable code is only compiled
in if one explicitly enables CONFIG_BINFMT_ELF_AOUT, an option
introduced by the patch.
References:
2005/01/12 - 2005/01/20 Packages: gcc, glibc, SysVinit, crontabs, db4, dhcp, fileutils, gpm, ipchains, lilo, ltrace, mtree, net-tools, procps; Owl/build/.rpmmacros; Owl/build/{installorder.conf,installworld.sh} Updated to GCC 3.4.3 and a post-2.3.3 glibc snapshot. Fixed whatever packages this broke.
2005/01/15 Package: psmisc In pstree(1), implemented support for displaying multiple accessible subtrees when running with the "restricted /proc" kernel patch.
2004/12/04 Package: gnupg Updated to 1.2.6.
2004/11/28 Package: hdparm Updated to 5.8.
2004/11/26 Package: patchutils New package: a collection of programs that operate on patch files.
2004/11/23 - 2004/11/28 kernel; Package: net-tools SECURITY FIX Severity: low to high, local/remote, active/passive
Updated to Linux 2.4.28-ow1. Linux 2.4.28, and thus 2.4.28-ow1, fixes
a number of security-related bugs, including the ELF loader
vulnerabilities discovered by Paul Starzetz (confirmed: ability for
users to read +s-r binaries; potential: local root), a race condition
with reads from Unix domain sockets (potential local root), smbfs
support vulnerabilities discovered by Stefan Esser (confirmed: remote
DoS by a malicious smbfs server; potential: remote root by a malicious
server).
References:
2004/11/11 Package: shadow-utils "useradd" and related tools will now optionally allow user and group names longer than 8 characters, even though these may not be fully supported by the rest of Owl and by third-party software. This is controlled with the added USERNAME_MAX and GROUPNAME_MAX settings in /etc/login.defs, both of which are documented in login.defs(5).
2004/11/05 Package: modutils Updated to 2.4.27.
2004/11/03 Owl/doc/REDHAT New file: a list of known issues with using packages from or intended for Red Hat Linux on Owl.
2004/09/02 - 2004/11/03 Packages: autoconf, automake, gcc, gettext, glibc, libtool, rpm; other affected packages; Owl/build/*; Owl/doc/{BUILD,INSTALL,CONCEPTS} Merged in updates to autoconf 2.59, automake 1.8.3, gcc 3.2.2, gettext 0.14.1, glibc 2.3.2 (with Red Hat's patches as of RHL9 but without NPTL, and indeed updating all of our relevant patches), libtool 1.5.2, rpm 4.2 (with support for db1-format packages database re-introduced to allow for upgrades from older versions of Owl). Applied minor fixes to around 50 other packages this broke. Migrated to FHS 2.2 (packages' documentation and man pages now go under /usr/share).
2004/09/10 - 2004/11/02 Packages: openssl, openssh Updated OpenSSL to 0.9.7d.
2004/09/10 - 2004/09/28 Package: shadow-utils Updated to 4.0.4.1, modified usermod(8) to update the last password change field when invoked with the "-p" option.
2004/09/26 Package: make Updated to 3.80.
2004/09/10 Package: db4 New package: the Berkeley DB version 4.
2004/09/10 Package: strace Updated to 4.5.1.
2004/09/10 Package: quota Updated to 3.11.
2004/08/16 Package: libnids Updated to 1.19.
2004/08/04 - 2004/08/15 kernel SECURITY FIX Severity: none to high, local, active
Updated to Linux 2.4.26-ow3 and further to 2.4.27-ow1. This corrects
the access control check which previously wrongly allowed any local
user to change the group ownership of arbitrary NFS-exported/imported
files and adds a workaround for the file offset pointer races
discovered by Paul Starzetz. The former is only exploitable when
files are NFS-exported from a server running a vulnerable version of
Linux 2.4.x, and the currently publicly known exploit for the latter
relies on code enabled with CONFIG_MTRR kernel build option which has
not been enabled in the default kernels on Owl CDs. However, as the
potential impact of both issues is a local root compromise, an upgrade
of older Linux 2.4.x installs to 2.4.26-ow3+ is highly recommended.
References:
2004/07/27 Package: iptables Updated to 1.2.11.
2004/07/16 - 2004/07/21 Packages: sed, acct, gdbm, man, sh-utils, slang, vim Updated sed to 4.1.1 and other packages' build scripts to make use of the new sed's ability of in-place editing ("sed -i").
2004/07/10 Package: gdb Updated to 6.1.1.
2004/06/22 Package: dhcp Added a bounds checking patch covering sprintf() calls with "%s" format specifier and non-constant strings and forcing the use of snprintf() and vsnprintf() in all places where that was previously supported but not enabled. Thanks to Gregory Duchemin for discovering that some of these actually resulted in a vulnerability in versions of the DHCP suite newer than the one we're using in Owl.
2004/06/19 kernel SECURITY FIX Severity: low to high, local, active
Updated to Linux 2.4.26-ow2. This fixes multiple security-related
bugs in the Linux kernel (those discovered by Al Viro using "Sparse",
fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some
others) as well as two non-security bugs in the -ow patch itself.
Which of these bugs affect a particular build of the Linux kernel
depends on what drivers are compiled in (or loaded as modules). For
the default kernels on Owl CDs, it's only the Intel PRO/1000 Gigabit
Ethernet driver (e1000) which has a vulnerability allowing for more
than a DoS attack fixed with this update.
References:
2004/06/09 Package: shadow-utils SECURITY FIX Severity: none to low, local, active Properly check the return value from pam_chauthtok(3) in chfn(1) and chsh(1). Previously, if chfn and/or chsh commands would be enabled for non-privileged users with control(8), it would have been possible for a logged in user with an expired password to change their "Full Name" and login shell without having to change the password. Thanks to Steve Grubb and Martin Schulze for discovering this problem.
2004/05/18 - 2004/06/09 Package: cvs SECURITY FIX Severity: none to high, remote, active
Added back-ports of fixes for multiple CVS server vulnerabilities,
some of which are known to be exploitable allowing for a malicious
client to execute arbitrary code within the CVS server. Thanks to
Stefan Esser, Sebastian Krahmer, and Derek Robert Price for finding
and fixing these bugs. Despite these fixes, it should not be assumed
that CVS server provides any security against a malicious client. If
required, any restrictions on the actions CVS server is allowed to
perform should be imposed at the OS level.
References:
2004/06/07 Package: openssh SECURITY FIX Severity: high, remote, passive
Fixed directory traversal vulnerability in scp which allowed malicious
SSH servers to overwrite arbitrary files on the client system.
Reference:
2004/06/02 Package: scanlogd chroot to /var/empty to further reduce the impact of potential bugs in scanlogd and the libraries that it uses.
2004/05/19 Packages: tcp_wrappers, openssh, xinetd Added a patch to tcp_wrappers to also build a shared version of the libwrap library.
2004/05/14 Packages: ncurses, procps Updated ncurses to 5.4 with official patches up to 20040508.
2004/05/07 Package: binutils Updated to 2.15.90.0.3.
2004/04/18 kernel; Package: owl-cdrom SECURITY FIX Severity: high, local, active
Updated to Linux 2.4.26-ow1. Linux 2.4.26 (and thus 2.4.26-ow1) fixes
an integer overflow vulnerability in processing of the MCAST_MSFILTER
socket option discovered by Paul Starzetz. When properly exploited,
the bug would lead to a local root compromise. Also included in this
kernel release is a fix for the ext3/XFS information leak discovered
by Solar Designer and a number of other relatively minor fixes. As it
relates to Owl, the kernel image on Owl CDs will now include the
Broadcom Tigon3 Gigabit Ethernet driver and the BusLogic SCSI
controller driver, but will not include support for IrDA (had to drop
it to make room for the extra device drivers).
References:
2004/04/14 Package: cvs SECURITY FIX Severity: high, remote, passive
Added a fix to the CVS client to ensure that pathnames provided by a
CVS server point to within the working directory. Without this fix, a
malicious CVS server could cause the CVS client to attempt to create
files at arbitrary locations thus gaining control over the user
account. This problem has been brought to the attention of CVS
developers and distribution vendors by Sebastian Krahmer of SuSE.
Additionally, CVS server has been further restricted to disallow the
use of relative pathnames to view files outside of the CVS repository.
However, despite this last fix, it should not be assumed that CVS
server provides any security against a malicious client being able to
access arbitrary files available under the privileges granted to the
CVS server at the OS level.
References:
2004/03/18 Package: openssl SECURITY FIX Severity: low, remote, passive to active
Updated to 0.9.6m. This release of OpenSSL fixes a NULL pointer
dereference during SSL handshake. If triggered, the bug would cause
the remote process or thread to crash. Depending on the application
this could lead to a denial of service. For the applications which
are a part of Owl, it's only individual invocations of network clients
which are affected and may be caused to crash by a malicious server.
References:
2004/02/20 - 2004/02/24 Packages: readline, bash, bc, gdb, lftp Updated readline to 4.3.
2004/02/18 Package: libnids Added a patch to support Prism wireless cards, by Snax of AirSnort project (http://airsnort.shmoo.com).
2004/02/15 Package: libpcap Updated to 0.8.1
2004/02/13 Package: mutt Updated to 1.4.2.1. This release of Mutt is a security fix, but Owl was not affected with its current glibc because of the lack of UTF-8 locales support.
2004/02/08 Package: SimplePAMApps In login(1) and su(1), generate ut_id's consistently with libutempter and OpenSSH (patch from Dmitry V. Levin of ALT Linux). This will make "su -" replace existing utmp entries for the duration of the su session.
2004/02/08 Package: chkconfig Updated to 1.3.9.
2004/01/20 - 2004/01/29 Packages: perl, vim Updated Perl to 5.8.3.
2004/01/21 - 2004/01/28 Packages: links, elinks Links has been replaced with ELinks 0.9.0 and further with 0.9.1.
2004/01/18 Package: owl-startup Added /sbin/service script for Red Hat Linux compatibility. Set net.ipv4.tcp_timestamps = 0 to prevent leaks of the exact system's uptime. There's a detailed comment in /etc/sysctl.conf explaining this option and possible drawbacks of having it set one way or the other.
2004/01/17 Package: procps In top, handle ticks going backwards gracefully. This may happen due to kernel and hardware issues and previously resulted in top reporting absurd idle processor time percentages under high load on SMP systems.
2004/01/14 Package: screen Updated to 4.0.2.
2004/01/10 Package: john Corrected a segfault with --stdin introduced with John 1.6.34.2.
2004/01/05 Package: sysklogd The startup script will now accept command-line options for syslogd and klogd specified in /etc/sysconfig/syslog. $Owl: Owl/doc/CHANGES-2.0,v 1.207 2018/05/23 19:32:15 solar Exp $ |