This file lists the major changes made between Owl releases. While

This file lists the major changes made between Owl releases. While
some of the changes listed here may also be made to a stable branch,
the complete lists of stable branch changes are included with those
branches and as errata for the corresponding Owl releases only.

This is very far from an exhaustive list of changes. Small changes to
individual packages won't be mentioned here unless they fix a security
or a critical reliability problem. They are, however, mentioned in
change logs for the packages themselves.

Changes made between Owl 0.1-prerelease and Owl 1.0.

2002/10/14 Owl/doc/fr/*
Updated French translations.

2002/10/13 Package: postfix
RELIABILITY FIX: Use fcntl(2) locking, not flock(2).

2002/10/12 Package: slang
Updated to 1.4.6. Reviewed all of the library code for environment
variable uses and restricted those which would be unsafe in SUID/SGID
programs (although such uses of slang are strongly discouraged).

2002/09/20 -
2002/10/07 Owl/doc/ru/*
New files: Russian translations of the documentation, by Gremlin from
Kremlin.

2002/10/05 Package: newt
Dropped newt from Owl, it's a Red Hat'ism that we never made use of.

2002/10/04 Package: owl-setup
Support for LILO boot loader configuration.

2002/10/01 Package: glibc
SECURITY FIX Severity: none to low, remote, passive to active
Avoid read buffer overruns in glibc itself and applications that
naively assume the length returned by res_* is always less than or
equal to the answer buffer size (CERT VU#738331, CVE CAN-2002-1146),
by truncating the answer in res_send(3); the patch is by Olaf Kirch of
SuSE. Avoid some potential reads beyond end of undersized DNS
responses; pointed out by Dmitry V. Levin of ALT Linux.

2002/09/28 Package: tar
SECURITY FIX Severity: high, local to remote, passive to active
Fixed two security and one reliability bug, all introduced into GNU
tar with 1.13.19. The contains_dot_dot() bug discovered by 3APA3A and
further analyzed by Mark J Cox of Red Hat and Bencsath Boldizsar
resulted in tar following ".." references to outside the intended
directory tree when extracting archives. Another bug effectively
disabled the symlink safety introduced in 1.13.18 that was meant to
avoid the problem described by Willy TARREAU where tar could be made
to follow a symlink it just extracted and also place a file outside of
the intended directory tree. Finally, there was a hard link storage
bug discovered by Jose Pedro Oliveira. Although the two security bugs
are now fixed, please keep in mind that tar has traditionally been
intended for making and extracting tape backups rather than archives
obtained from untrusted sources. Be very careful with what input you
pass it and what user you run it as.
References:
http://marc.info/?l=bugtraq&m=99496364810666
http://marc.info/?l=bugtraq&m=103314336129887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267
http://marc.info/?l=bugtraq&m=90674255917321

2002/09/19 -
2002/09/28 Package: xinetd
Updated to 2.3.8 with a new set of minor fixes and then to 2.3.9.

2002/09/17 kernel
Updated to 2.2.22-ow1.

2002/09/10 kernel
SECURITY FIX Severity: high, local, active
Updated to Linux 2.2.21-ow2 which includes many security fixes for
issues with the Linux kernel discovered during code reviews by Silvio
Cesare, Solar Designer, and others.

2002/09/09 Package: owl-setup
Support for keyboard layout configuration, thanks to Matthias Schmidt.

2002/08/19 -
2002/08/27 Packages: acct, autoconf, automake, bc, binutils,
bison, cpio, diffutils, e2fsprogs, ed, fileutils,
findutils, flex, gawk, gcc, gdb, gdbm, glibc, gnupg,
gpm, grep, gzip, libtermcap, libtool, m4, make,
readline, screen, sed, tar, texinfo, time
Adjusted Texinfo directory entries such that the menu looks pretty.

2002/08/22 Packages: owl-cdrom, owl-startup
Added a "welcome" script to introduce the user to directory locations
on the CDs.

2002/08/22 Packages: SimplePAMApps, pam
Patched pam_motd to behave on errors and configured it for login(1).

2002/08/13 Package: procmail
Updated to 3.15.2 adding temporary file handling fixes to scripts used
during the builds.

2002/07/30 -
2002/08/12 Package: openssl
SECURITY FIX Severity: high, remote, passive to active
Applied the official security patches against 0.9.6d and then did a
series of package updates to ensure Owl always contains the fixes for
the currently publicly-known vulnerabilities, ending up with 0.9.6g.
Please refer to the package change log for the intermediate steps that
occurred during this update process. The vulnerabilities have been
discovered by Ben Laurie and others of A.L. Digital Ltd and The Bunker
under DARPA's CHATS program, by consultants at Neohapsis, and by Adi
Stav and James Yonan. The patches have been prepared by Ben Laurie
and Dr. Stephen Henson, with one of the fixes partly based on a
version by Adi Stav. The vulnerabilities affect applications that use
OpenSSL to provide SSL or TLS or use OpenSSL's ASN.1 parsing code on
untrusted input. It hasn't been fully researched whether OpenSSH is
affected, but the ASN.1 parsing vulnerability may affect OpenSSH's
implementation of SSH protocol 2 in both the server and the client.
As Owl currently only includes SSL clients (lftp and links), only
passive attacks are possible via the SSL/TLS vulnerabilities on
default installs. If, however, any SSL server software that uses
OpenSSL is added, active attacks will likely become possible as well.

2002/08/04 -
2002/08/12 Packages: fileutils, sh-utils, textutils;
Owl/build/installorder.conf
Updated fileutils to 4.1.11 with a number of additional patches.

2002/08/11 Package: perl
SECURITY FIX Severity: none to high, remote, active
Back-ported bound checking fixes for File::Glob from Perl 5.8.0.
Thanks to Pavel Kankovsky for the report and to Michael Tokarev for
discussing other possible approaches to fixing this. Without these
fixes, it was possible that certain otherwise correct Perl scripts
would expose the lack of bound checking in the Perl module code to be
exploited via user input to those scripts, which, depending on the
nature of such scripts, may be coming from a remote system.

2002/08/11 Package: xinetd
Updated to 2.3.6 adding fixes or workarounds for issues introduced
after 2.3.3 including the signal pipe leak into child processes (a
security hole with 2.3.4+ which never got into Owl).

2002/08/04 Package: glibc
Made the FreeSec code (that supports the extended BSDI-style DES-based
password hashes) reentrant, adjusted crypt*(3) wrappers and the manual
page accordingly. This means that you no longer have to use the
plain_crypt option with pam_tcb(8) when support for these password
hashes is desired.

2002/08/01 Package: glibc
SECURITY FIX Severity: low to high, remote, passive to active
Patched two potential integer overflows (and thus buffer overflows) in
calloc(3) and Sun RPC xdr_array(3) code (the latter discovered by ISS
X-Force). The calloc(3) integer overflow possibility is currently not
known to allow for an attack on a particular application, but has been
patched as a proactive measure. The Sun RPC xdr_array(3) overflow may
allow for passive attacks on mount(8) by malicious or spoofed NFSv3
servers as well as for both passive and active attacks on RPC clients
or services that one might install on Owl.

2002/07/30 Package: man-pages
Updated to 1.52 with additional corrections.

2002/07/28 Package: mtree
Updated to version from current OpenBSD (post-3.1) which is able to
encode special characters in filenames.

2002/07/21 -
2002/07/28 Packages: pam_passwdqc, pam
Imported the pam_passwdqc(8) manual page back from FreeBSD with minor
corrections to it and the README, also moving the pam.d and pam.conf
pages to section 5 where they belong.

2002/07/23 Package: gawk
Moved profiling gawk (pgawk) into separate subpackage (gawk-profile),
not built or installed by default. The PostScript documentation is
now installed compressed.

2002/07/14 -
2002/07/18 Package: perl
SECURITY FIX Severity: low, local, passive
Added File::Temp module to the package and corrected unsafe temporary
file handling in the Configure script, perldoc(1) (patch from ALT
Linux), perlbug(1), perlcc(1) (by updating to the version from Perl
5.6.1 which actually works), s2p(1), c2ph(1), dotsh.pl, perl5db.pl,
and ExtUtils/inst (also making it work with GNU tar). Applied many
fixes to documentation and code comments to not suggest bad practices
on the use of temporary files. perlbug(1) will now default to using
vitmp(1). Corrected the generation of *.ph files and re-considered
which C header files to process during package build by default. The
package will now try to no longer include information specific to the
build system's last kernel compile.

2002/07/15 Package: gawk
Updated to 3.1.1 and switched to using Paul Eggert's patch to igawk
which makes it not use temporary files at all.

2002/07/13 Package: texinfo
Updated to 4.2 with an additional temporary file handling fix to
texi2dvi.

2002/06/27 -
2002/07/07 Package: openssh
SECURITY FIX Severity: none to high, remote, active
Updated to 3.4p1 with a lot of additional modifications to restore
most of the functionality lost or broken with the recent rushed update
to 3.3p1 and to be safer. Please refer to change log for the package
for details. OpenSSH 3.4p1 fixes the lack of bound checking resulting
in an integer and buffer overflow with the PAMAuthenticationViaKbdInt
code (and thus potentially allowing for a remote server compromise).
On Owl, PAMAuthenticationViaKbdInt has always defaulted to no and is
in fact not supported by our PAM configuration file for OpenSSH. A
comment in /etc/ssh/sshd_config incorrectly seemed to imply that
PAMAuthenticationViaKbdInt defaulted to yes, which was never the case.
That comment has since been corrected.

2002/07/06 Package: pam
pam_limits will now support stacking for account management (as well
as for session setup), be fail-close on configuration file reads, and
report the "too many logins" via PAM conversation rather than direct
printf(3). The first change is needed for the new OpenSSH package.

2002/07/04 -
2002/07/05 Package: glibc
SECURITY FIX Severity: none to high, remote, passive
Back-ported the fix to a buffer overflow affecting network lookups
with getnetby{addr,name}{,_r}(3) family of functions when "dns" is
listed on "networks" line in /etc/nsswitch.conf (which is not the
default). Added the patch by NISHIMURA Daisuke and Tomohiro 'Tomo-p'
KATO of Vine Linux to fix the DNS resolver buffer overflows affecting
both host and network lookups in the compatibility code that is used
by binaries built against glibc 2.0 (there are no such binaries in Owl
itself). Improved the code used to produce unpredictable DNS query
IDs to make it generate different sequences of IDs in forked processes
(problem noted by Jarno Huuskonen), conserve the kernel's randomness
pool (based on feedback from Michael Tokarev), and properly reseed
when chrooted.

2002/06/23 -
2002/06/25 Packages: openssh, owl-etc
Updated OpenSSH to 3.3p1 with privilege separation enabled by default
and a patch to make it work on Linux 2.2 (as well as 2.4).

2002/06/21 -
2002/06/22 Owl/build/buildworld.{sh,conf}, Owl/build/Makefile,
Owl/doc/BUILD
SRPMs are no longer built by default, the old behavior may be restored
by setting BUILDSOURCE=yes in buildworld.conf. Owl does not use SRPMs
for anything. The build environment now looks for binary packages to
determine which sources and foreign source packages need to be built.
Individual packages, both native and foreign, may now be (re-)built
with "make PACKAGE=..." as documented in Owl/doc/BUILD. When building
on SMP, the number of processors will now be detected automatically
unless specified explicitly in buildworld.conf.

2002/06/13 Owl/doc/de/*
New files: German translations of the documentation, from Matthias
Schmidt.

2002/06/10 -
2002/06/13 Package: modutils
Updated to 2.4.16.

2002/06/12 Package: glibc
ldd(1) will no longer try to invoke programs directly, even when it
seems like that would work. The dynamic linker will be invoked as a
program instead. This makes a difference primarily when the program
is SGID and is being ldd'ed by root. If the program was executed
directly, glibc would detect its SGID status and drop LD_* variables,
resulting in the program being actually started rather than ldd'ed.
Thanks to Dmitry V. Levin of ALT Linux for suggesting this solution.
syslog(3) will now use ctime_r() instead of strftime_r() so that month
names will not depend on current locale settings. The patch is
originally by Michael Tokarev. The glibcbug script will now use
mktemp(1) in a fail-close way, let it use $TMPDIR, and will default to
vitmp(1) for the editor.

2002/06/11 Package: bison
Updated to 1.35.

2002/06/09 Packages: owl-dev, owl-hier
Support Linux 2.4.x's /proc/devices entries. Support and create frame
buffer devices. Support up to 8 IDE controllers (16 devices), create
device files for 8 IDE devices by default.

2002/05/28 -
2002/06/08 Package: strace;
Owl/build/installorder.conf
Updated to current CVS version (post-4.4) with an additional fix for
displaying all possible ioctl names when there's more than one match
for a number. The strace-graph Perl script is now packaged, in its
own subpackage.

2002/06/04 Package: silo
Updated to 1.2.5.

2002/05/30 -
2002/06/03 Package: iputils
Updated to ss020124.

2002/05/25 -
2002/05/27 Package: popa3d
Added two interoperability fixes. Please refer to change log for the
package for details.

2002/05/27 kernel
Updated to Linux 2.2.21-ow1. This changes certain permissions on
/proc entries, fixes the getcwd(2) instance of the d_path() truncation
problem in the Linux kernel pointed out by Wojciech Purczynski on
public mailing lists, and fixes the fsuid/fsgid handling inconsistency
in the Linux kernel discovered by Hao Chen.

2002/05/19 Packages: screen, pam, tcb, utempter, owl-etc
RELIABILITY FIX: Grant screen(1) access to both chkpwd and utempter
helpers such that screen session (un)locking works in our default
install. Previously, locked screen sessions couldn't be unlocked by
the user because of screen not being able to possess and make use of
the privilege of validating the user's password.

2002/05/17 -
2002/05/19 Package: gnupg
Updated to 1.0.7.

2002/05/14 Package: findutils
Updated to 4.1.7.

2002/05/12 Package: openssl
Updated to 0.9.6d with a patch by Ben Laurie for "openssl dgst" to
behave on read errors and additional corrections to the package.

2002/05/09 Package: vixie-cron
SECURITY FIX Severity: none to low, local, active
Ensure all files are closed in crontab(1) when the editor is run.
This fixes the problem pointed out by Paul Starzetz on Bugtraq where
crontab(1) could leak read-only access to /etc/cron.{allow,deny} even
if those files are made readable to just group crontab.

2002/04/25 Package: e2fsprogs
Updated to 1.27 (ext3fs support).

2002/04/19 -
2002/04/25 Packages: vim, bash, quota, vixie-cron
Updated vim to 6.1 patchlevel 18, with various additional changes to
the package. The package now includes vitmp(1), a wrapper around VIM
to be used for editing temporary files with in-place rewrites. It is
now the default editor for crontab(1), edquota(8), the "fix command"
(fc) history editor in bash, and the bashbug script.

2002/04/10 Package: john
New package: John the Ripper, a fast password cracker.

2002/04/02 Package: vsftpd
Updated to 1.0.2pre3, made use of the new option to hide numeric IDs.

2002/04/01 -
2002/04/02 Packages: iproute2, owl-cdrom, owl-startup,
pam_mktemp, pam_userpass, traceroute
Applied modifications to better support Alpha in the distribution as a
whole. Marked owl-cdrom x86-specific because at this stage it really
is. /proc is now mounted early as needed for hwclock(8) and glibc's
I/O port access routines. traceroute(8) should no longer do unaligned
accesses on 64-bit architectures.

2002/03/30 Package: stmpclean
New package: a safe temporary directory cleaner. Modifications have
been applied for extra safety and to provide tmpwatch emulation.

2002/03/22 -
2002/03/24 Package: acct
Applied bug fixes to sa(8) to properly report real time in minutes or
seconds and to lastcomm(1) to properly report process creation times
on 64-bit architectures. Heavy documentation corrections and cleanups
(both man pages and texinfo).

2002/03/22 Package: popa3d
Re-worked all of the UIDL calculation, adding support for multi-line
headers and re-considering which headers to use.

2002/03/13 -
2002/03/21 Package: pam_mktemp
Make the /tmp/.private directory append-only (where supported) such
that the directory or its subdirectories don't get removed by a /tmp
cleaner. A third-party /tmp cleaner may complain, but that isn't as
bad as removing the directories could be.

2002/03/20 Packages: glibc, pam_mktemp, pam_passwdqc,
pam_userpass, popa3d, scanlogd, tcb;
Owl/build/buildworld.sh, Owl/build/Makefile
The non-Owl-specific pieces of software developed by the Openwall team
now live in the Owl CVS tree. This includes crypt_blowfish (a part of
the glibc package), pam_mktemp, pam_passwdqc, pam_userpass, popa3d,
scanlogd, and tcb. For these, the updated buildworld script may now
produce source archives which we may be releasing separately from Owl.
Of course, the corresponding Owl packages are built as usual.

2002/03/17 Package: openssh
Updated to 3.1p1.

2002/03/15 Package: dev86
Updated to 0.16.0.

2002/03/13 Package: zlib
Updated to 1.1.4.

2002/03/13 Package: logrotate
Updated to 3.6.2.

2002/03/05 Package: openssh
SECURITY FIX Severity: high, local/remote, active/passive
Patched an off by one channel id check bug discovered by Joost Pol.
The bug could be exploited by either a user able to login into a
vulnerable OpenSSH server or a malicious SSH server attacking a
vulnerable OpenSSH client. If successful, this could let one execute
arbitrary code in the context of the remote server or client process.

2002/03/03 kernel
SECURITY FIX Severity: medium to high, local to remote, active
Updated to Linux 2.2.20-ow2. This fixes an x86-specific vulnerability
in the Linux kernel discovered by Stephan Springl where local users
could abuse a binary compatibility interface (lcall) to kill processes
not belonging to them (including system processes). Additionally, a
kernel instance of the zlib double-free vulnerability is now fixed.
Fortunately, the affected parts of the Linux kernel (Deflate
compression support for PPP and the experimental Deflate compression
extension to IrDA) are normally not used by the Owl userland.

2002/02/15 Package: lilo
Updated to 22.1.

2002/02/13 Packages: owl-startup, SysVinit
Don't unlink the old /sbin/init on SysVinit package upgrades as that
would actually leave it pending for delete on process termination and
prevent remounting the filesystem read-only during shutdown. Avoid
the same problem with glibc upgrades by linking /sbin/init statically.
Combined with the swapoff(2) fix in Linux 2.2.20-ow1+, this completes
the changes needed for system shutdown to work cleanly after a "make
installworld" over the running system.

2002/02/11 Packages: zlib, rpm, texinfo
SECURITY FIX Severity: high, remote, active
There was a vulnerability in the zlib data compression library which,
on certain invalid input to decompression, could cause segments of
dynamically allocated memory to be deallocated twice (a double-free
bug). The second attempt at deallocation would incorrectly treat what
may happen to be user-supplied input as data structures internal to
the dynamic memory implementation. As a result, the worst case impact
is ability to execute arbitrary code within the context of the process
doing decompression via carefully crafted invalid "compressed" input.
On Owl, the zlib vulnerability affected the following packages: gnupg,
openssh, rpm, texinfo, and any third-party software which may use the
library. Of these, the rpm and texinfo packages contain binaries
statically linked against zlib and thus needed a rebuild. They now
have a build dependency on the corrected version of zlib introduced.
OpenSSH could potentially allow for an active remote attack resulting
in a root compromise. If only SSH protocol version 1 is allowed in
the OpenSSH server this is reduced to a local attack on the server,
but reverse remote attack possibilities by a malicious server remain.

2002/01/24 -
2002/02/08 Owl/doc/CONVENTIONS;
Owl/build/buildworld.sh, Owl/build/installworld.sh;
Owl/packages/*
Defined and moved to new package version numbering conventions which
should let us better support multiple branches. At the same time any
previously specified conventions have been actually enforced for old
packages, heavy cleanups applied to all of the RPM spec files, and
lots of minor improvements to the packages have been made.

2002/02/07 Package: iproute2
New package: enhanced IP routing configuration tools.

2002/02/07 Owl/doc/fr/{DOWNLOAD,INSTALL,CONVENTIONS}
Updated French translations, from Denis Ducamp.

2002/02/01 Package: bzip2
Updated to 1.0.2, with significant changes to the way the package is
built.

2002/01/24 Package: bison
Updated to 1.32.

2002/01/11 Package: openssl
Updated to 0.9.6c.

2001/12/22 -
2001/12/26 Package: postfix
Hardening of the Postfix queue file permissions and access methods, in
case someone compromises the postfix account. The fixes are by Wietse
Venema and have been back-ported from the 20011217 snapshot. Thanks
to Michael Tokarev for his help in handling these issues. At the same
time, additional postfix-script fail-closeness fixes have been applied
and the package has been updated to 19991231-pl13.

2001/12/16 Package: vsftpd
New package: a File Transfer Protocol (FTP) server.

2001/12/14 Package: glibc
SECURITY FIX Severity: none to high, remote, active
Back-ported a glob(3) buffer overflow fix from the CVS. The bug has
been discovered and an initial patch produced by Flavio Veloso of
Magnux. While no Owl package is known to be affected by this glibc
bug, it is likely that it may result in a security hole with certain
third-party software such as FTP servers which support globbing and
make use of the glob(3) interface. At the same time, asprintf(3) and
vasprintf(3) have been modified to behave on errors and match the
semantics of Todd Miller's implementation found on *BSD, -- thanks to
Dmitry V. Levin of ALT Linux for discovering and looking into these
issues.

2001/12/12 Package: openssh
SECURITY FIX Severity: none to high, local, active
Updated to 3.0.2p1 which fixes a security problem with UseLogin where,
if UseLogin is enabled in the sshd configuration, a local user could
gain root access by passing arbitrary environment variable settings to
login(1) via authorized_keys file options. UseLogin has never been
enabled on Owl by default and its use is discouraged.

2001/12/10 Package: ipchains
New package: an interface to the Linux IP packet filtering code.

2001/11/27 Package: logrotate
Updated to 3.5.9 with additional corrections.

2001/11/25 Package: telnet
New package: Telnet protocol client and server ported from OpenBSD
(post-3.0), with significant modifications. The Telnet protocol
handling in telnetd is performed in a process running as a dedicated
pseudo-user and chrooted to /var/empty. This uses the approach
introduced by Chris Evans in his NetKit telnetd patches, but the code
is different. Please refer to change log for the package itself for
descriptions of the many modifications applied during the week this
package was in development.

2001/11/22 Owl/doc/CONVENTIONS
New file: explains some of the conventions to follow for those wishing
to contribute to the project.

2001/11/19 Packages: SimplePAMApps, pam
Use pam_lastlog with login(1). Additionally, several bug fixes and
other changes have been applied to libpam, pam_lastlog, pam_securetty,
and login. Please refer to change logs for the packages for details.

2001/11/16 Packages: SimplePAMApps, openssh, popa3d, screen,
owl-setup
Use pam_tcb instead of pam_pwdb.

2001/11/15 Packages: pam, tcb
No longer build pam_unix, the tcb package will provide compatibility
symlinks instead.

2001/11/13 Package: screen
Updated to 3.9.10.

2001/11/13 Package: mktemp
Updated to 1.4 (uses $TMPDIR and a hard-coded template by default).

2001/11/12 Packages: tcb, shadow-utils, util-linux
This is the first in a series of changes needed for us to move to the
tcb password shadowing scheme (please refer to the tcb(5) manual page
for information on what tcb is about and why we designed it). The tcb
package consists of three components: pam_tcb, libnss_tcb, and libtcb.
pam_tcb is a PAM module which supersedes pam_unix. libnss_tcb is the
accompanying NSS module. libtcb contains code shared by the PAM and
NSS modules and is also used by programs from the updated shadow-utils
package. At the same time, the shadow suite (shadow-utils) has been
updated to version 4.0.0 with many additional fixes and modifications
and, of course, with tcb support added. The non-tcb-specific changes
to shadow-utils include: optional mailbox creation in useradd(8), the
use of PAM with most user management commands (where that made sense),
support for arbitrary password hashing methods for group passwords set
with gpasswd(1), packaging of gshadow-aware versions of newgrp(1) and
sg(1) commands (previously, newgrp(1) was a part of our util-linux
package), numerous bug fixes and reliability improvements, and quite
likely new bugs. chpasswd(8) and newusers(8) will now use PAM to set
passwords that haven't already been hashed. Other commands which set
passwords will invoke the PAM password management stack to possibly
rebuild additional password databases. chage(1), once enabled, will
now use PAM authentication which is by default set to require non-root
users to authenticate themselves prior to being let to see their
password aging information. Other user management commands will now
support PAM authentication, too, although that isn't of much use given
that we don't officially support running user management commands on
behalf of trusted but not root-privileged users.

2001/11/09 Package: pam_userpass
Updated to 0.5 which is now stackable for password management as well
as authentication. This is to be used by programs such as chpasswd(8)
and newusers(8).

2001/11/08 Package: netlist
New package: a program for regular users to list their active Internet
connections and listening sockets despite possible access restrictions
on /proc.

2001/11/08 Package: glibc
If syslog(3) is called by a SUID/SGID program without a preceding call
to openlog(3), don't blindly trust __progname for the syslog ident.
This situation may occur because of bad interaction between a program
and PAM modules where either a PAM module relies on the program to
have initialized logging or one or more of the PAM modules utilize
syslog calls followed by a call to closelog(3) and the program doesn't
bother to re-initialize its logging before making further calls to
syslog(3). All of this is of course a consequence of PAM lacking a
logging framework. Without this change to glibc, such situations
would go unnoticed while allowing for malicious users to play games
with messages logged by privileged programs.

2001/11/08 Package: bison
Updated to 1.30.

2001/11/04 Package: pam_passwdqc
Updated to 0.4 which permits for stacking of more than one instance of
the module (no statics).

2001/11/03 kernel
SECURITY FIX Severity: none to medium, remote, active
Updated to Linux 2.2.20-ow1. Compared to our previous recommended
kernel version/patch (2.2.19-ow3 or 2.2.19-ow4), Linux 2.2.20 adds a
workaround for a vulnerability with certain packet filter setups and
SYN cookies (http://cr.yp.to/syncookies.html) where the packet filter
rules could be bypassed. Additionally, 2.2.20-ow1 moves even more of
the support for combined ELF/a.out setups (in particular, uselib(2)
and its related a.out library loaders) under the configuration option
introduced with 2.2.19-ow4.

2001/10/28 Package: popa3d
Updated to 0.5 which adds a popa3d(8) man page.

2001/10/24 -
2001/10/27 Package: bash
Updated to 2.05 with many additional fixes.

2001/10/22 kernel
RELIABILITY FIX: Updated to Linux 2.2.19-ow4 which fixes a symbol
export issue introduced with 2.2.19-ow3 and moves the support for ELF
executables which use an a.out format interpreter (dynamic linker)
into a separate configuration option (disabled by default).

2001/10/18 kernel
SECURITY FIX Severity: low to high, local, active
A new revision of the Openwall Linux kernel patch, 2.2.19-ow3, is now
available. It contains fixes for two Linux kernel vulnerabilities
discovered by Rafal Wojtczuk, and it is strongly recommended for use
with Owl. One of the vulnerabilities affected SUID/SGID execution by
processes being traced with ptrace(2). It was possible to trick the
kernel into recognizing an unsuspecting SUID root program as the
(privileged) tracer process. Then, if that program would execute a
program supplied by the malicious user (with the user's credentials),
the user's program would inherit the ability to trace. Fortunately,
there's no program that would meet all of the requirements for this
attack in the default Owl install. However, certain supported
non-default configurations of Owl are affected. In particular, if
newgrp(1) is made available to untrusted users (which is a supported
owl-control setting) or certain third-party software that contains SUID
root binaries is installed, the vulnerability may become exploitable and
result in a local root compromise. The other vulnerability allowed for
an effective local DoS attack by causing the kernel to spend an almost
arbitrary amount of time on dereferencing a single symlink, without
giving a chance for processes to run.

2001/10/08 Packages: sysklogd, owl-etc
Updated sysklogd to 1.4.1. Based the new klogd drop root patch on one
from CAEN Linux. Added syslogd patches derived from CAEN Linux to
allow specifying a bind address for the UDP socket and to let syslogd
run as non-root. klogd is now running chrooted to /var/empty (it has
been running as non-root since before Owl 0.1-prerelease). syslogd is
now running as its dedicated pseudo-user, too.

2001/10/07 Packages: pam, openssh, screen;
Owl/build/installorder.conf
Updated PAM to Red Hat's 0.75-10 plus our usual patches. Replaced
pam_listfile with Michael Tokarev's implementation (see
http://archives.neohapsis.com/archives/pam-list/2000-12/0084.html).
Patched the new pam_chroot to catch the most common misuses which
would result in a security problem, updated its README and example
configuration file to discourage such misuses. Moved development
libraries and header files into a subpackage, moved the main Linux-PAM
documentation into a documentation subpackage.

2001/10/06 Package: gpm
Updated to 1.19.6 with some additional fixes.

2001/10/03 Owl/doc/DOWNLOAD, Owl/doc/INSTALL
Documented the availability and installation instructions for ISO-9660
images of Owl CDs.

2001/10/02 Package: mktemp
Updated to 1.3.1 (built-in $TMPDIR support).

2001/09/27 Package: gzip
SECURITY FIX Severity: low, local, passive
Patched unsafe temporary file handling in gzexe, zdiff, and znew based
on work by Todd Miller of OpenBSD.

2001/09/27 Package: openssh
SECURITY FIX Severity: low to high, remote, passive to active
Updated to 2.9.9p2, which fixes three security issues compared to our
previous package version. The issues are:
1. The "from=" restriction in ~/.ssh/authorized_keys2 could fail to
work when the file defines a mix of RSA and DSA keys.
2. A documentation problem that the authorized_keys* options didn't
restrict the use of sftp. They do so now. sftp has never been
enabled on Owl by default (it is owl-control'able).
3. As discovered by Yang Yu, the "echo simulation" traffic analysis
countermeasure produced an extra echo packet for the carriage return
after password entry. That could serve as a traffic signature for
attackers.

2001/09/11 Package: popa3d
Updated to 0.4.9.4. The same popa3d binary may now be run as a
standalone server as well as via xinetd, an /etc/xinetd.d file is
provided. Parts of the daemon code are now run in a chroot jail.

2001/09/05 Package: man-pages
Updated to 1.39 with additional corrections.

2001/09/02 Package: groff
SECURITY FIX Severity: none to high, remote, active
zen-parse has demonstrated a security problem with format string
processing in the plot command of pic(1) when groff is used with LPRng
on Red Hat Linux. While Owl doesn't (yet?) include a print server,
our groff package did have the unfortunate pic(1) property and did
provide a print filter for use on potentially untrusted input by a
third-party print server package one could install. This has now been
corrected. A patch by Sebastian Krahmer of SuSE Security Team has
been applied to pic(1) to restrict the format string processing. The
print filter has been dropped from the package. Additionally, the
package has been updated to 1.17.2.

2001/09/02 Package: popa3d
Updated to 0.4.9.2.

2001/08/30 Package: xinetd
Updated to 2.3.3.

2001/07/30 Package: pam
RELIABILITY FIX: Fixed a double-free bug in pam_pwdb which caused it
to segfault after successful password changes in some cases. The bug
was specific to Owl. :-( Fortunately, this had no security impact as
the memory area was zeroed out before the second call to free(3) such
that no user input would reach it.

2001/07/28 Package: owl-cdrom
New package: directory hierarchy changes and additional files needed
for Owl bootable CD-ROMs.

2001/07/27 Package: links
Updated to 0.96.

2001/07/05 -
2001/07/22 Package: xinetd
SECURITY FIX Severity: none to high, remote, active
Performed an audit of the xinetd source code for several classes of
vulnerabilities, and applied _many_ security and reliability fixes.
The patch is 100 KB large. See AUDIT in the package documentation.
None of the vulnerabilities are known to affect the default xinetd
configuration on Owl.

2001/07/18 Package: vixie-cron
Added support for /etc/cron.d directory.

2001/07/12 Package: gdb
New package: the GNU debugger.

2001/07/12 Package: scanlogd
New package: a tool to detect and log TCP port scans.

2001/07/11 Packages: openssl, openssh
Updated OpenSSL to 0.9.6b.

2001/07/10 Package: tar
RELIABILITY FIX: There was a bug which caused tar to loop endlessly on
a read error when verifying archives (this affected both -W, --verify,
and -d, --diff, --compare). The bug is now fixed. Additionally, the
package has been updated to 1.13.19 with other patches needed for this
new version.

2001/07/06 Package: openssl
SECURITY FIX Severity: none to medium, remote, passive to active
Applied patches provided by the OpenSSL team to correct a PRNG
weakness which under unusual circumstances could allow an attacker to
determine internal state of the PRNG and thus to predict future PRNG
output. This problem has been discovered and reported to the OpenSSL
team by Markku-Juhani O. Saarinen. No applications are known to be
affected at this time.

2001/06/29 Package: xinetd
SECURITY FIX Severity: none to high, remote, active
Updated to 2.3.0, which fixes the problem with xinetd's string
handling routines discovered by Sebastian Krahmer of SuSE Security
Team. This should complete an earlier security fix to the buffer
overflow in the xinetd logging code discovered by zen-parse. The
buffer overflow could be triggered by a remote attacker via xinetd's
ident (RFC 1413) lookup feature and could allow for the execution of
arbitrary code as the user xinetd is running as (typically root).
ident lookups are and have always been disabled in the Owl xinetd
package by default.

2001/06/29 Owl/doc/fr/*
Updated French translations, from Denis Ducamp.

2001/06/29 Package: mktemp
Switched to packaging the portable mktemp, now that Todd Miller
maintains it in addition to the OpenBSD-specific version. :-)

2001/06/27 Package: gpm
SECURITY FIX Severity: none to low, physical, active
The mouse event handler gpm-root, if enabled, handled user-supplied
configuration files unsafely, allowing a user with physical access to
the mouse to gain root privileges on the running system. gpm-root was
never started on Owl by default, and has now been moved to a separate
subpackage which would need to be explicitly enabled to build. The
support for user-supplied configuration files is now patched out and
the documentation is updated accordingly. Additionally, many gpm-root
reliability bugs including the format string bug reported by Colin
Phipps to Debian (http://bugs.debian.org/102031) have been fixed.

2001/06/25 Package: quota
New package: tools for monitoring users' disk usage and managing disk
usage quotas.

2001/06/24 Owl/doc/CHANGES
New file: the system-wide change log will now be maintained.

2001/06/21 Owl build environment
First attempt at supporting multiple branches.

2001/06/21 -
2001/06/23 Package: owl-setup
RELIABILITY FIX: Set the domain in /etc/resolv.conf, ensure the newly
created /etc/resolv.conf and /etc/hosts are mode 644.

2001/06/20 Package: tcsh
Updated to 6.10.01 which includes a number of minor bugfixes.

2001/06/18 Package: pwdb
Updated to 0.61.1 which adds some header files.

2001/06/17 Package: libnet
Support alpha* targets other than plain alpha (don't even try to check
for unaligned accesses when building for an Alpha).

2001/06/17 Package: man-pages
Updated to 1.38.

2001/06/15 Package: shadow-utils
DOCUMENTATION FIX: Rewrote most of the login.defs(5) man page and
enabled its packaging. Added more defaults to /etc/login.defs, added
a reference to login.defs(5). Fixed a bug in the lastlog(8) man page
reported by Jarno Huuskonen.

2001/06/14 Package: openssh
SECURITY FIX Severity: none to low, remote, active
Prevent additional timing leaks with null passwords (when allowed).
The default OpenSSH server configuration on Owl doesn't allow null
passwords, making this a non-issue (not that it's much of an issue
either way). When null passwords were allowed, the old package made
it somewhat easier for a remote attacker to check whether a username
is valid.

2001/06/14 Package: pam_userpass
RELIABILITY FIX: Deal with null passwords correctly. Before this
change null passwords wouldn't work even when allowed for a service.

2001/06/13 Package: glibc
Back-ported a patch from the CVS to handle unaligned relocations on
Alpha. Owl is now able to rebuild all of its packages on an Alpha
without causing a single unaligned trap.
References:
http://bugs.debian.org/43401
http://gcc.gnu.org/ml/gcc/1999-07n/msg00968.html
http://gcc.gnu.org/ml/gcc/1999-07n/msg01041.html

2001/06/12 Package: rpm
Updated to 3.0.6.

2001/06/12 Package: screen
SECURITY FIX Severity: low, local, passive
Updated to 3.9.9, patched the unsafe temporary file handling in the
configure script (which made it unsafe to _build_ screen).

2001/06/12 Package: xinetd
Updated to 2.1.8.9pre15. With includedir, skip all files with names
containing a dot ('.') or ending with a tilde ('~'); this replaces the
Red Hat Linux derived patch. Minor man page fixes.

2001/06/11 Package: openssh
SECURITY FIX Severity: low, local, active
Switch credentials when cleaning up temporary files and sockets to fix
the vulnerability reported by zen-parse on Bugtraq which could allow a
local user to remove files named "cookies" located anywhere on the
system. The patch is by Markus Friedl (intended for testing only)
with a later OpenSSH CVS change added and two bugs fixed.

2001/06/10 -
2001/06/13 Package: dialog
Updated to 0.9a-20010527 with minor bugfixes.

2001/06/07 Package: links
New package: a Lynx-like text WWW browser with support for frames.

2001/06/04 Owl/doc/CONTACT
New file: explains Owl public mailing lists (only owl-users at the
moment) and e-mail contacts.

2001/06/04 Package: logrotate
Enabled the daily cron job now that we have /etc/cron.daily (finally).
If log compression is requested, use gzip at its default compression
level (no "-9").

2001/06/03 Package: glibc
SECURITY FIX Severity: low to medium, local, passive
Synced the fts(3) routines with current OpenBSD and FreeBSD; this is
triggered by Nick Cleaton's report of yet another FTS vulnerability
to FreeBSD, and a discussion with Kris Kennaway and Todd Miller. It
should no longer be possible to trick FTS into leaving the intended
directory hierarchy, but DoS attacks on FTS itself remain possible.
The FTS code is used by software ported from BSD, including the Owl
mtree package. GNU software uses other implementations, several of
which will need fixing as well (our findutils package includes a fix
since before the 0.1-prerelease, but there's room for improvement).

2001/06/03 Package: glibc
DOCUMENTATION FIX: Updated to crypt_blowfish-0.4.1 which includes a
crypt.3 man page that is more friendly to makewhatis.

2001/05/30 Package: gnupg
SECURITY FIX Severity: high, remote, passive
Updated to 1.0.6, which includes a fix to the format string
vulnerability discovered by fish stiqz of Synnergy Networks. This
vulnerability can allow a (possibly remote) attacker to execute
arbitrary code as the user who attempted decryption of a specially
crafted file. While the potential impact of this vulnerability is
high, the chances of its successful exploitation in a real-world
attack are low due to technical and social reasons.

2001/05/29 Packages: SysVinit, xinetd, owl-startup
SECURITY FIX Severity: none to medium, local, passive to active
Ensure the umask is no less restrictive than 022 when starting
programs from init, start-stop-daemon, and xinetd. Set umask to 077
in daemon() for the case when a service is started manually rather
than from rc.sysinit. Of these, only the xinetd behavior was a real
vulnerability on setups we support (Owl with third-party services
installed). The change to init is only critical when running certain
2.4.x Linux kernel versions, which we don't yet support. The changes
to start-stop-daemon and owl-startup are redundant.

2001/05/27 Package: gawk
SECURITY FIX Severity: low, local, passive
Patched unsafe temporary file handling in igawk, based on report and
patch from Jarno Huuskonen (updated the igawk example in the texinfo
documentation for gawk, which is used as the source for building the
final igawk script). This is a very minor security problem as igawk
is hardly ever used.

2001/05/27 -
2001/06/19 Package: popa3d
RELIABILITY FIX: Updated from an earlier development version to 0.4.9
and later to 0.4.9.1.

2001/05/23 Package: sysklogd
SECURITY FIX Severity: none to medium, local, active
Back-ported a klogd DoS fix from 1.4.1, thanks to the reports from
Jarno Huuskonen and Thomas Roessler who initially reported the problem
to Debian (see http://bugs.debian.org/85478). The problem would only
show up when the kernel or a kernel module incorrectly passes a NUL
byte for logging. Linux 2.2.19 isn't known to have bugs like this,
some Linux 2.4.x kernels are.

2001/05/18 Owl/doc/CREDITS
New file: presents our development team and others involved with Owl.

2001/05/18 -
2001/05/25 Package: crontabs
New package: system crontab files which provide the /etc/cron.daily,
weekly, and monthly files as required by the LSB specification draft,
plus /etc/cron.hourly found on Red Hat Linux. The package is based on
a modified version of the run-parts program derived from Debian.

2001/05/18 -
2001/06/12 Package: man
Updated to 1.5i and later to 1.5i2. These versions are meant to fix
the published ways to attack man when it is installed SUID/SGID, but
the fixes are imperfect by design. Owl has never installed man SUID
or SGID. Additionally, our makewhatis script was fixed since before
we've released. Thus, this isn't a security update.

2001/05/15 Owl/doc/fr/*
New files: French translations of the documentation, from Denis Ducamp.

$Owl: Owl/doc/CHANGES-1.0,v 1.10 2008/01/21 13:31:13 solar Exp $