This file lists the major changes made between Owl releases. While

This file lists the major changes made between Owl releases. While
some of the changes listed here may also be made to a stable branch,
the complete lists of stable branch changes are included with those
branches and as errata for the corresponding Owl releases only.

This is very far from an exhaustive list of changes. Small changes to
individual packages won't be mentioned here unless they fix a security
or a critical reliability problem. They are, however, mentioned in
change logs for the packages themselves.

Security fixes have a "Severity" specified for the issue(s) being fixed.
The three comma-separated metrics given after "Severity:" are: risk
impact (low, medium, or high), attack vector (local, remote, or
indirect), and whether the attack may be carried out at will (active) or
not (passive). Please note that the specified risk impact is just that,
it is not the overall severity, so other metrics are not factored into
it. For example, a "high" impact "local, passive" issue is generally of
lower overall severity than a "high" impact "remote, active" one - this
is left up to our users to consider given their specific circumstances.

Per our current conventions, a Denial of Service (DoS) vulnerability is
generally considered to have a "low" risk impact (even if it is a
"remote, active" one, which is to be considered separately as it may
make the vulnerability fairly critical under specific circumstances).
Some examples of "medium" impact vulnerabilities would be bugs enabling
non-critical information leaks, cryptographic signature forgeries,
and/or sending of or accepting spoofed/forged network traffic (where
such behavior was unexpected), as long as they would not directly allow
for a "high" impact attack. Finally, a typical "high" impact
vulnerability would allow for privilege escalation such as ability to
execute code as another user ID than the attacker's (a "local" attack)
or without "legitimately" having such an ability (a "remote" attack).

The metrics specified are generally those for a worst case scenario,
however in certain cases ranges such as "none to low" or/and "local to
remote" may be specified, referring to the defaults vs. a worst case yet
"legitimate" custom configuration. In some complicated cases, multiple
issues or attacks may be dealt with at once. When those differ in their
severity metrics, we use slashes to denote the possible combinations.
For example, "low/none to high, remote/local" means that we've dealt
with issue(s) or attack(s) that are "low, remote" and those that are
"none to high, local". In those tricky cases, we generally try to
clarify the specific issue(s) and their severities in the description.

Changes made between Owl 2.0 and Owl 3.0.

2010/12/13 -
2010/12/14 Owl/build/{installworld.sh,installorder.conf}
Various corrections were made to "make installworld" to better support
upgrades from ("installs over") Owl 2.0.

2010/12/13 Package: perl
SECURITY FIX Severity: none to high, remote, active
Added security fix backports found in Red Hat's 5.8.8-32.el5.2. These
are for a double-free bug triggerable via malicious regexps with UTF-8
characters (CVE-2008-1927), Safe.pm restrictions bypass (CVE-2010-1168),
and race conditions in the rmtree function in File::Path (CVE-2008-5302,
CVE-2008-5303). Despite of these fixes, we recommend that regexps not
be obtained or formed from untrusted input, Safe.pm not be used at all
(it is regarded by many as a failed experiment and is a candidate for
removal from the core Perl distribution), and rmtree not be used on
directory trees potentially under an attacker's control.
References:
http://rt.perl.org/rt3/Public/Bug/Display.html?id=48156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927
http://www.openwall.com/lists/oss-security/2010/05/20/5
https://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg220612.html
https://rhn.redhat.com/errata/RHSA-2010-0458.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1168
http://www.openwall.com/lists/oss-security/2008/11/28/2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5303

2010/12/09 Packages: owl-cdrom, owl-setup
Added new boot label called "safe" to the CD boot menu. Currently, this
adds the "acpi=ht" kernel parameter (for machines that have problems
with ACPI support), which "settle" propagates into the installed system.

2010/12/08 Package: kernel
SECURITY FIX Severity: medium to high, local, active
Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch
(2.6.18-194.26.1.el5.028stab079.1). Fixed "dangerous interaction
between clear_child_tid, set_fs(), and kernel oopses" (CVE-2010-4258,
problem discovered and fix proposed by Nelson Elhage of Ksplice).
Merged many security-relevant patches from Red Hat's 2.6.18-236.el5
(mostly for infoleaks discovered by Dan Rosenberg, as well as his patch
introducing the dmesg_restrict sysctl and
CONFIG_SECURITY_DMESG_RESTRICT). Merged Red Hat's fix for "Bug 614957 -
ext4: mount error path corrupts slab memory" (the bug could be triggered
by a sysadmin making a typo in a "mount" command or in /etc/fstab).
References:
https://openvz.org/Download/kernel/rhel5-testing/028stab079.1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4258
http://www.openwall.com/lists/oss-security/2010/12/02/3
http://www.openwall.com/lists/oss-security/2010/12/02/7
http://www.openwall.com/lists/oss-security/2010/12/08/4
https://rhn.redhat.com/errata/RHSA-2010-0839.html
https://rhn.redhat.com/errata/RHSA-2010-0723.html
https://bugzilla.redhat.com/show_bug.cgi?id=614957

2010/12/06 Package: vim
Updated to 7.3 patchlevel 75. Moved most syntax highlighting files and
translations of VIM messages to separate subpackages that are not to be
installed by default.

2010/12/06 Package: man-pages
Updated to 3.32.

2010/12/04 Package: postfix
Updated to 2.4.15.

2010/12/04 Packages: bash, tcsh
The default shell prompts have been revised to be directly reusable on
ssh and scp command-lines.

2010/11/30 Package: cvs
SECURITY FIX Severity: none to medium, local, passive to active
Applied upstream's fix to an array index error, leading to a heap-based
buffer overflow, found in the way CVS applied certain delta fragment
changes from input files in the RCS (Revision Control System) file
format. If an attacker in control of a CVS repository stored a
specially-crafted RCS file in that repository, this could result in
arbitrary code execution with the privileges of the CVS server process
on the system hosting the CVS repository when a remote user eventually
checks out a revision of the affected file.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3846
http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/rcs.c?r1=1.262.4.65&r2=1.262.4.66
https://bugzilla.redhat.com/show_bug.cgi?id=642146

2010/11/25 Package: xz
Updated to 5.0.0.

2010/11/25 Package: lftp
Updated to 4.1.1.

2010/11/15 Package: man-pages
Updated to 3.31.

2010/11/15 Package: smartmontools
Updated to 5.40.

2010/11/15 Package: SysVinit
Updated to 2.88dsf.

2010/11/09 Package: man-pages
Updated to 3.30.

2010/11/09 Package: iptables
Updated to 1.4.10.

2010/11/05 Package: cdrkit
Updated to 1.1.11.

2010/10/31 Package: gnupg
Updated to 1.4.11.

2010/10/27 Package: man-pages
Updated to 3.29.

2010/10/27 Package: hdparm
Updated to 9.35.

2010/10/18 Package: pam
SECURITY FIX Severity: none to medium, local, active
Updated to 1.1.2+ snapshot 20101011. This code revision introduces the
proper privilege switching into pam_env, pam_mail, and pam_xauth. None
of these modules are in use on default installs of Owl, and they never
were, hence there was no impact for default installs.
References:
http://www.openwall.com/lists/oss-security/2010/08/16/2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3316
http://www.openwall.com/lists/oss-security/2010/09/21/3
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3430
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3431

2010/10/06 -
2010/10/16 Package: vim
Updated to 7.3 patchlevel 21, made numerous changes to the package.

2010/10/15 Package: ncurses
Updated to 5.7-20101009.

2010/10/15 Package: flex
Updated to 2.5.35.

2010/10/11 Package: diffstat
Updated to 1.54.

2010/10/07 Package: man-pages
Updated to 3.28.

2010/10/07 Package: ed
Updated to 1.5.

2010/10/07 Package: hdparm
Updated to 9.33.

2010/10/04 Package: binutils
Updated to 2.20.51.0.11.

2010/09/24 Package: hdparm
Updated to 9.32.

2010/09/24 Package: kernel
SECURITY FIX Severity: high, local, active
Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch
(2.6.18-194.11.3.el5.028stab071.5). Added a fix for the
compat_alloc_user_space() function missing sanity checks (CVE-2010-3081)
from OpenVZ's 028stab070.5 (the same as Red Hat's from their -194.11.4
RHEL5 kernel). This was a "local root" vulnerability on 64-bit kernels
built with 32-bit compatibility enabled.
References:
https://openvz.org/Download/kernel/rhel5-testing/028stab071.5
https://openvz.org/Download/kernel/rhel5/028stab070.5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081
https://bugzilla.redhat.com/show_bug.cgi?id=634457
https://rhn.redhat.com/errata/RHSA-2010-0704.html
https://access.redhat.com/articles/40258

2010/09/21 Package: grep
Updated to 2.7.

2010/09/21 Package: bzip2
SECURITY FIX Severity: high, indirect, passive
Updated to 1.0.6. This release fixes an integer overflow vulnerability
discovered by Mikolaj Izdebski in the BZ2_decompress function in
bzip2/libbz2. An attacker could use the vulnerability to crash bzip2 or
an application using libbz2 or potentially to execute arbitrary code via
a crafted "bzip2-compressed" file.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0405
https://xorl.wordpress.com/2010/09/21/cve-2010-0405-bzip2-integer-overflow/

2010/09/02 -
2010/09/18 Package: pam_mktemp
Revised pam_mktemp in multiple ways mostly relevant to (re)uses of this
module on systems other than Owl.

2010/09/06 Package: rpm
Backported xz/lzma support for Source and Patch files, as well as for
package payloads.

2010/09/06 Package: xz
New package: data compression library and a set of gzip-style tools for
working with files compressed with the Lempel-Ziv-Markov chain algorithm
(LZMA). It supports two formats: .xz and the older .lzma format.

2010/09/06 Package: lftp
Updated to 4.0.10.

2010/09/01 -
2010/09/03 Packages: openssh, owl-cdrom, owl-dev, owl-setup,
owl-startup, rpm, iputils
Assorted minor improvements have been made and/or bugfixes applied to
these Owl packages (as usual, more detail is available in the packages'
change logs).

2010/08/30 -
2010/09/03 Package: kernel
SECURITY FIX Severity: low to high, local, active
Updated the kernel to OpenVZ's latest from their "RHEL5 testing" branch
(2.6.18-194.11.3.el5.028stab071.3), applied some additional bugfixes,
and of course preserved our usual changes. Enabled CONFIG_FUSION_* and
CONFIG_PCNET32 (as modules) for easier Owl installation into VMware and
VirtualBox VMs.
References:
https://openvz.org/Download/kernel/rhel5-testing/028stab071.3
https://openvz.org/Download/kernel/rhel5-testing/028stab071.2
https://openvz.org/Download/kernel/rhel5/028stab070.4
https://rhn.redhat.com/errata/RHSA-2010-0661.html
https://rhn.redhat.com/errata/RHSA-2010-0610.html
http://www.openwall.com/lists/oss-security/2010/08/16/1
http://www.openwall.com/lists/oss-security/2010/08/27/1
http://www.openwall.com/lists/oss-security/2010/08/30/3

2010/08/19 -
2010/09/01 Package: m4
Updated to 1.4.15.

2010/09/01 Package: file
Updated to 5.04.

2010/09/01 Package: acct
Updated to 6.5.4.

2010/08/30 Package: vsftpd
Updated to 2.3.2.

2010/08/29 Package: mktemp
Updated to 1.7.

2010/08/29 Package: hdparm
Updated to 9.30.

2010/08/28 Package: ltrace
Updated to 0.5.3-2.1.

2010/08/27 Package: grep
Updated to 2.6.3.

2010/08/27 Package: sed
Updated to 4.2.1.

2010/08/24 Package: iptables
Updated to 1.4.9.1.

2010/08/24 Package: cdrkit
Updated to 1.1.10.

2010/08/24 Package: gawk
Updated to 3.1.8.

2010/08/24 Package: diffstat
Updated to 1.53.

2010/08/19 Package: man
Updated to 1.6f.

2010/08/19 Package: man-pages
Updated to 3.25.

2010/08/18 Package: bison
Updated to 2.4.3.

2010/08/18 Package: diffutils
Updated to 3.0.

2010/08/17 Package: e2fsprogs
Updated to 1.41.12.

2010/07/29 Package: lftp
Updated to 4.0.9.

2010/07/28 Package: postfix
Updated to 2.4.14.

2010/07/28 Package: openssh
The SSH client will now use protocol 2 by default (finally).

2010/07/27 Packages: owl-startup, modutils
/etc/rc.d/rc.sysinit has been enhanced and corrected in numerous ways:
it will disable the console screensaver (such that datacenter staff may
see the last console messages without connecting a keyboard or even if
the system freezes), distinguish more kinds of fsck exit codes and act
accordingly, and use "depmod -A" instead of "depmod -a" (to avoid
rebuilding of kernel module dependencies unnecessarily). The default
/etc/sysctl.conf will now explicitly set vm.mmap_min_addr to a
reasonable non-zero value (currently 96 KB), not relying on the kernel
to have a similar default anymore (although our kernel does).

2010/07/19 -
2010/07/28 Packages: owl-setup, owl-etc, owl-hier;
Owl/build/install{iso,vz}tree.sh
Added ext4 filesystem support - in fact, "settle" (the Owl installer
program) will now offer ext4 by default, with ext3 and ext2 still
available as non-default per-filesystem choices. Made the menus,
prompts, and messages of both "settle" and "setup" hopefully more
intuitive by clearly indicating which steps are optional, required, or
recommended (and the like), having a bit fewer menu items (where some
could be dropped or replaced without a loss of functionality for any of
our users), revising menu item names and hint messages, and offering
likely-correct inputs as defaults. Revised the console font/map presets
for Cyrillic and Western European encodings. Almost all on-disk
filesystems are now mounted with "noatime" by default (for better
performance), and a /sys mountpoint and fstab entry (for sysfs) are now
created by default (with "noauto").

2010/07/24 Package: owl-cdrom
Revised the LILO boot menu, leaving only two boot targets: "normal" and
"rescue". This makes use of the new kernel's boot CD/DVD drive device
autodetection. Revised the "welcome" script to reflect other changes,
and enhanced it in numerous minor ways.

2010/07/17 -
2010/07/21 Packages: kernel, lilo, owl-cdrom, owl-setup;
Owl/build/{install*.sh,Makefile}; Owl/doc/*
SECURITY FIX Severity: none to high, local, active
Updated the kernel to OpenVZ's latest from their rhel5 branch
(2.6.18-194.8.1.el5.028stab070.2) with minor additional changes in Owl.
As usual, this kernel version contains a number of security fixes
(mostly backports made by Red Hat). The security impact of
CVE-2010-0291 ("mremap/mmap mess"), if any, on x86 and x86-64 systems is
difficult to determine. The remaining issues fixed were NULL pointer
dereferences (the impact of which had been reduced to a DoS due to
vm.mmap_min_addr) and/or were in kernel subsystems not built on Owl by
default. At the same time with making this update, the kernel has been
RPM-packaged, but in a way allowing for easy non-packaged builds as well
(there are only two cumulative patch files). AHCI vs. Marvell PATA
driver co-existence fixes have been backported from Linux 2.6.34.1.
Boot CD/DVD drive device autodetection has been implemented (needed to
locate the root filesystem when booting off a CD/DVD with LILO). ext4
filesystem support has been enabled.
References:
https://openvz.org/Download/kernel/rhel5/028stab070.2
https://rhn.redhat.com/errata/RHSA-2010-0504.html

2010/06/14 Package: john
Updated to 1.7.6, including usability improvements relevant to the Owl
package of John the Ripper.

2010/06/07 Package: tcb
Updated to 1.0.6.

2010/05/04 Package: lftp
SECURITY FIX Severity: high, remote, passive
Updated to 4.0.7. This changes the default behavior of lftp(1) and the
lftpget(1) script to no longer trust and use a possible server-provided
filename instead of the user-specified download filename.
Reference:
https://ocert.org/advisories/ocert-2010-001.html

2010/04/14 Package: strace
Updated to 4.5.20.

2010/03/27 Package: passwdqc
In passwdqc 1.2.1, a password strength check has been adjusted to no
longer subject certain passwords that start with a digit and/or end with
a capital letter to an unintentionally stricter policy.

2010/03/22 kernel;
Owl/build/buildkernel.sh;
Package: owl-cdrom
SECURITY FIX Severity: none to high, remote, active
Updated the kernel to OpenVZ's latest from their "rhel5" branch
(2.6.18-164.11.1.el5.028stab068.5 released on 2010/03/18) with Red Hat's
patches up to 2.6.18-164.15.1.el5 added (apparently prepared by Red Hat
on 2010/03/01, released and announced on 2010/03/16), and with some
minor changes of our own. We call the resulting kernel version
2.6.18-164.15.1.el5.028stab068.5-owl1. Compared to earlier "rhel5"
kernels, this update fixes a large number of vulnerabilities of varying
impact in various kernel subsystems, which may or may not have been
exposed in specific circumstances.

2010/03/11 -
2010/03/21 Packages: tar, cpio
SECURITY FIX Severity: high, indirect, passive
Updated tar to 1.23, which includes a fix for the heap-based buffer
overflow in the rmt client functionality (CVE-2010-0624), and applied
a fix for the same vulnerability to cpio. The attack would require
either that an rmt server being used by tar or cpio on purpose is
compromised first (by other means) or that these tools are fooled into
accessing a malicious rmt server, such as via having them run on a
malicious filename. The latter risk was mitigated by tar's default to
use ssh for the --rsh-command and by ssh defaulting to asking the user
before accepting an unrecognized host key. In cpio's case, it was
mitigated by cpio requiring the --rsh-command option to use rmt. With
our update to tar, we have also patched it to require its --rsh-command
option to use rmt (just like cpio does), and we applied a number of
post-release fixes for regressions introduced in the 1.23 release.
References:
http://www.agrs.tu-berlin.de/index.php?id=78327
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0624
http://lists.gnu.org/archive/html/bug-tar/2010-03/msg00036.html

2010/03/20 Package: hdparm
Updated to 9.28.

2010/03/20 Package: pciutils
Updated to 3.1.7.

2010/03/19 Package: libnids
Updated to 1.24.

2010/03/13 -
2010/03/16 Package: passwdqc
Enhanced passwdqc in numerous ways bringing it up to version 1.2.0.

2010/03/15 Package: quota
Updated to 3.17.

2010/03/05 Package: tcsh
Updated to 6.17.00.

2010/02/26 Package: john
Several minor features were added and usability improvements made to
John the Ripper, bringing it up to version 1.7.5.

2010/02/11 -
2010/02/25 Package: tcb
Updated to 1.0.5.

2010/02/15 Package: vim
Updated to 7.2 patchlevel 351. Introduced new subpackages -spell and
-tutor (not installed by default).

2010/02/11 Package: glibc
Replaced linuxthreads with NPTL.

2010/02/02 Package: gzip
Updated to 1.4.

2010/01/28 Owl/build/{Makefile,installworld.conf,installworld.sh,
installvztree.sh,makevztemplate.sh}
Implemented "make vztemplate" - a make target to easily generate OpenVZ
container templates of the Owl userland. The resulting templates may be
used on Owl and/or on other Linux systems with OpenVZ.

2010/01/24 -
2010/01/28 Package: nmap
Updated to 5.21 with our usual enhancements for privilege reduction.

2010/01/21 -
2010/01/26 Package: pciutils
Updated to 3.1.6.

2010/01/20 Package: gzip
SECURITY FIX Severity: none to high, indirect, passive
Applied upstream's fix for an integer underflow leading to an array
index error in the way gzip used to decompress data compressed with the
Lempel-Ziv-Welch (LZW) compression algorithm. An attacker could provide
a specially-crafted LZW-compressed gzip archive, which once decompressed
by an unsuspecting user on a 64-bit system would lead to a gzip crash or
potentially to arbitrary code execution with the privileges of the user
running gzip.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001

2009/12/17 -
2010/01/18 Package: john
John the Ripper has been enhanced in numerous ways, bringing it up to
version 1.7.4.2. Functionality and performance of the word mangling
rules engine have been improved, the default rulesets and the bundled
common passwords list have been revised, performance with very large
password files or sets of files has been improved, idle priority has
been enabled by default.
References:
http://www.openwall.com/lists/announce/2009/12/26/1
http://www.openwall.com/lists/announce/2010/01/19/1

2009/11/30 Package: libtool
SECURITY FIX Severity: none to high, local, passive
Applied upstream's backport of libltdl changes from the libtool 2.26b
release: no longer attempt to dlopen() the old_library listed in .la
files, and do not open module.la files from the current directory.
No Owl packages use libltdl and therefore none are vulnerable, but
third-party software could be abused by e.g. creating a malicious .la
file and tricking a privileged user into executing a libltdl-based
application in the same directory.
References:
http://lists.gnu.org/archive/html/libtool/2009-11/msg00059.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736

2009/11/28 Package: rpm;
Owl/build/buildworld.sh;
Owl/doc/{ARCHITECTURES,BUILD}
On 32-bit x86, packages are now built for the i686 architecture flavor
by default.

2009/11/23 Packages: vzctl, vzquota;
Owl/build/installorder.conf
New packages: tools to create/control/examine/destroy OpenVZ containers.

2009/11/20 -
2009/11/23 kernel;
Owl/build/buildkernel.sh;
Packages: owl-cdrom, procps, util-linux
The default kernel has been replaced with OpenVZ's latest from their
"rhel5" branch, with some modifications of our own (mostly for better
compatibility with the Owl userland, as well as for security).
Formally, this was forked off Linux 2.6.18 (originally by Red Hat), but
the changes are so extensive that this is actually an up-to-date kernel
branch/version on its own, including Red Hat's backports of security
fixes (and a lot more) and OpenVZ's container-based virtualization.
This kernel branch is currently maintained by both Red Hat (for RHEL5)
and OpenVZ. The specific version number we're currently using is
2.6.18-128.2.1.el5.028stab064.8-owl0.2.

2009/11/20 Package: gcc;
Owl/build/{installorder.conf,installworld.sh}
Dropped two older libstdc++-*-compat subpackages, which were providing
binary compatibility for C++ programs built with gcc 2.x.

2009/11/20 Package: ipchains;
Owl/build/installorder.conf
Dropped package: ipchains has been obsoleted by iptables for years, but
we kept it in Owl to ease transition of existing systems from Linux 2.2
to Linux 2.4 kernels (which still included optional kernel support for
ipchains). Now that we're dropping support for Linux 2.4, it is also
high time to drop ipchains, so we did. iptables, the replacement, has
been a part of Owl for years.

2009/11/18 Package: diffstat
Updated to 1.51.

2009/11/18 Package: vsftpd
Updated to 2.2.2.

2009/11/17 kernel
SECURITY FIX Severity: none to high, local, active
Updated to Linux 2.4.37.7-ow1. The 2.4.37.7 kernel fixes a number of
security-related bugs.

2009/10/25 kernel
SECURITY FIX Severity: none to medium, local, active
Updated to Linux 2.4.37.6-ow1. The 2.4.37.6 kernel fixes a number of
information leak vulnerabilities. One of these was already fixed in
2.4.37.5-ow1, and the remaining ones may or may not affect specific
systems depending on both kernel and userspace configuration.

2009/10/24 Package: xinetd
Updated to 2.3.14.

2009/10/24 Package: vsftpd
Updated to 2.2.1.

2009/10/21 Package: vim
Updated to 7.2 patchlevel 267.

2009/10/21 Package: strace
Updated to 4.5.19.

2009/10/13 Package: e2fsprogs
Updated to 1.41.9.

2009/10/13 Package: cpio
Updated to 2.10.90.

2009/09/28 -
2009/10/10 Packages: pam, pam_passwdqc, passwdqc;
Owl/build/installorder.conf
The pam_passwdqc package has been replaced with passwdqc, a new package,
which includes pam_passwdqc(8) (the PAM module), libpasswdqc
(a password/passphrase strength checking library), pwqcheck(1)
(a standalone password/passphrase strength checking program), and
pwqgen(1) (a standalone random passphrase generator program).

2009/09/23 Package: iptables
Updated to 1.4.5.

2009/09/22 Package: vsftpd
Updated to 2.2.0.

2009/09/09 Package: gnupg
Updated to 1.4.10.

2009/09/01 -
2009/09/09 Packages: rpm, *;
Owl/build/{buildworld.conf,buildworld.sh}
Many RPM spec files have been adjusted and a new tri-state setting has
been introduced into buildworld.conf to control whether the testsuites
are to be run. The default is to run most tests, other possible
settings are to run all of the tests (including extremely slow ones) or
to disable all tests.

2009/09/07 Package: elinks
Updated to 0.11.7.

2009/08/31 Package: postfix
Updated to 2.4.13.

2009/08/30 Package: ed
Updated to 1.4.

2009/08/30 Package: bison
Updated to 2.4.1.

2009/08/28 Package: pam
Updated to 1.1.0.

2009/08/25 Package: m4
Updated to 1.4.13.

2009/08/23 kernel
SECURITY FIX Severity: none to high/medium, local, active
Updated to Linux 2.4.37.5-ow1. The 2.4.37.5 kernel adds a fix for the
"Linux NULL pointer dereference due to incorrect proto_ops
initializations", which on Owl was not exploitable into privilege
escalation on its own due to the vm.mmap_min_addr feature, as long as
the latter was enabled and working (there have been no known issues with
it in recent kernels). In our patched kernels, vm.mmap_min_addr is
enabled by default. Additionally, our default kernels did not include
support for any socket types via which the bug is known to be
triggerable. More importantly, Linux 2.4.37.5-ow1 adds a fix for the
sigaltstack local information leak affecting 64-bit kernel builds.
References:
http://lists.openwall.net/bugtraq/2009/08/13/11
http://www.openwall.com/lists/oss-security/2009/08/14/2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
http://www.openwall.com/lists/oss-security/2009/08/05/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847

2009/08/22 Package: rpm
Introduced the configure-presets script, which pre-defines a bunch of
autoconf variables in order to achieve more deterministic and slightly
quicker builds. Most importantly, this makes the configure scripts of
many other packages assume the presence of certain security-relevant
interfaces (fail-close behavior) rather than auto-detect those and
possibly fallback to other interfaces (fail-open behavior). The
configure-presets script is automatically "sourced" before the %build
section commands are invoked (including when our rpmbuild(8) is used to
build third-party packages), and it may also be explicitly "sourced" for
manual builds of autoconf'ed software by Owl users.

2009/08/17 Package: tar
Updated to 1.22.90, which replaces most of our error handling fixes
originally implemented in the Owl package of tar in Nov-Dec 2008 with
more elaborate changes by Sergey Poznyakoff. Dropped the
--ignore-device-id option in favor of its official name of
--no-check-device.
References:
http://lists.gnu.org/archive/html/bug-tar/2009-03/msg00000.html
http://lists.gnu.org/archive/html/bug-tar/2009-08/msg00016.html

2009/08/16 Package: findutils
Updated to 4.4.2. With this update, we're switching to the find(1)
implementation based around fts(3) instead of GNU find's "own" directory
traversal code.

2009/08/15 Package: mktemp
Updated to 1.6 with minor post-1.6 upstream changes.

2009/08/14 Package: groff
SECURITY FIX Severity: none to high, local/indirect, passive
Corrected pdfroff(1) to create temporary files in a safe manner and to
invoke gs(1) (Ghostscript) with the -dSAFER option to make it treat the
input file as untrusted. pdfroff had been introduced into Owl with the
groff update on 2009/08/06. Before getting corrected, the temporary
files issue was mitigated by pdfroff's use of the TMPDIR environment
variable, which our pam_mktemp module sets to point to the user's
private directory. Additionally, for pdfroff to work and for the lack
of the -dSAFER option to come into play, one would need to install
Ghostscript first, which was not a part of Owl. Besides fixing pdfroff,
we have identified and patched numerous relatively minor temporary file
handling issues in other components of the new version of groff. Thanks
to brian m. carlson for identifying and reporting the two pdfroff issues
to Debian.
References:
http://www.openwall.com/lists/oss-security/2009/08/09/1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538338

2009/08/06 Package: logrotate
Updated to 3.7.8.

2009/08/06 Package: groff
Updated to 1.20.1.

2009/08/03 kernel
Updated to Linux 2.4.37.4-ow1. The 2.4.37.4 kernel integrates a
replacement for the "personality" hardening measure introduced in
2.4.37.3-ow1.

2009/07/29 Package: chkconfig
Updated to 1.3.42.

2009/07/28 Package: bind
SECURITY FIX Severity: low, remote, active
Backported upstream fix for a remote DoS bug: by sending a specially
crafted dynamic update packet to a BIND server, a remote unauthenticated
attacker could cause the server to crash. According to the ISC and to
our own testing, this vulnerability affects servers that are masters for
one or more zones - it is not limited to those that are configured to
allow dynamic updates. Our default BIND configuration includes several
master zones, such as 127.in-addr.arpa, which are usable for the attack.
BIND's own access controls (such as the "allow-query" directive) are
ineffective against the attack.
References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975
https://www.kb.cert.org/vuls/id/725188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696

2009/07/20 kernel
SECURITY FIX Severity: none to high, local to remote, active
Updated to Linux 2.4.37.3-ow1. The 2.4.37.3 kernel release adds the
"-fno-delete-null-pointer-checks" option to gcc invocations, which is
important to reduce the impact of a class of kernel bugs (which are yet
to be found and fixed individually, but are known to exist in general),
adds several security-relevant fixes to the RTL-8169 NIC driver, and
makes other assorted changes. The Linux 2.4.37.3-ow1 kernel patch
introduces an additional security hardening measure where the kernel
will no longer allow the "personality" feature (which is needed to
support some program binaries from other operating systems) to be abused
to bypass the vm.mmap_min_addr restriction via SUID-root programs with a
certain class of design errors in them. Similar changes were introduced
into 2.6.x kernels recently.
References:
http://git.kernel.org/linus/a3ca86aea507904148870946d599e07a340b39bf
http://www.openwall.com/lists/oss-security/2009/07/16/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895

2009/07/18 -
2009/07/19 Package: vsftpd
Updated to 2.2.0pre4, which officially reverts the default for "listen"
back to NO (the way we had it in Owl all the time) and implements the
"-o" option (the syntax and semantics are subtly different from what we
had in our own implementation).
Reference:
http://lists.freedesktop.org/archives/distributions/2009-July/000322.html

2009/07/16 -
2009/07/19 Package: nmap
Updated to 5.00 with our usual enhancements for privilege reduction and
with some post-release fixes. Enabled build of Ncat (an even more
powerful remake of the well-known netcat tool, which we previously had
represented in Owl with OpenBSD's remake) and build of Nmap with NSE
(Nmap Scripting Engine) support enabled. Ncat gets into its own binary
subpackage called "ncat" and installable independently of "nmap".
Reference:
http://www.openwall.com/lists/owl-users/2009/07/19/1

2009/07/15 Package: dhcp
SECURITY FIX Severity: none to low, remote, active
Updated to 3.0.7. Fixed the DHCP server premature termination bug when
receiving certain well-formed DHCP requests, provided that the server
configuration mixes host definitions using "dhcp-client-identifier" and
"hardware ethernet". It has not been fully researched whether the bug
had any impact on versions 3.0.x of the DHCP server, and there is a
specific reason why it might not have had any impact, yet we're fixing
the underlying bug. Discovery and patch by Christoph Biedl.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892
http://www.openwall.com/lists/owl-users/2009/07/16/1

2009/07/11 Package: postfix
Updated to 2.4.11.

2009/07/08 Package: chkconfig
Updated to 1.3.38.

2009/07/07 kernel
SECURITY FIX Severity: none to high, remote, active
Updated to Linux 2.4.37.2-ow1. The 2.4.37.2 kernel release adds several
bug fixes, including security-relevant ones.

2009/07/07 Package: openssh
SECURITY FIX Severity: none to high, remote, active
Backported upstream fix for a syslog call inside a signal handler. The
security impact this issue might have had was not fully evaluated. On
Debian systems, the reported impact was processes getting stuck on locks
inside glibc. On Owl, no problems were ever reported, yet the call was
unsafe, with the worst-case impact being arbitrary code execution
(depending on processing inside glibc).
References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498678
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4109

2009/07/05 Package: man-pages
Updated to 3.21.

2009/06/17 Package: dmidecode;
Owl/build/installorder.conf
New package: dmidecode reports information about x86 & x86-64 hardware
as described in the system BIOS according to the SMBIOS/DMI standard.

2009/06/10 Package: pciutils;
Owl/build/installorder.conf
New package: pciutils contains utilities for inspecting and setting up
devices connected to the PCI bus.

2009/05/27 -
2009/05/29 Package: vsftpd
Updated to 2.1.1, keeping the default at listen=NO (overriding
upstream's change of default). Added the new option "-o", which can be
used to specify configuration settings via the command line.

2009/05/27 Package: pcre
Updated to 7.9.

2009/05/25 Package: patchutils
Updated to 0.3.1.

2009/05/24 kernel; Package: owl-cdrom
SECURITY FIX Severity: none to high, local, active
Updated to Linux 2.4.37.1-ow1. In the default kernels for x86 and
x86-64, enabled SCSI generic support (as needed for CD/DVD recording),
UDF filesystem support (read-only), and more SATA and NIC drivers.
Linux 2.4.37.1, compared to 2.4.35-ow2, adds numerous security-relevant
fixes to various kernel subsystems.

2009/05/24 Package: diffstat
Updated to 1.47.

2009/05/06 -
2009/05/22 Packages: cdrkit, mkisofs, owl-dev;
Owl/build/installorder.conf
New package: cdrkit is a suite of programs for recording CDs and DVDs,
blanking CD-RW media, creating ISO-9660 filesystem images, extracting
audio CD data, and more. This obsoletes our mkisofs source package,
which was directly based on cdrtools (of which cdrkit is a fork).

2009/05/21 Package: nmap
Updated to 4.76.

2009/05/15 Package: libnids
Updated to 1.23.

2009/05/09 Package: hdparm
Updated to 9.15.

2009/05/02 Package: e2fsprogs
Updated to 1.41.5.

2009/04/08 Package: tcb
In the new version 1.0.3 of the tcb package, child processes spawned by
pam_tcb will now always use _exit(2) rather than exit(3) to avoid
triggering side effects. When changing passwords, pam_tcb will now
fsync(2) the temporary file prior to renaming it over the actual shadow
file, as needed on filesystems with not entirely atomic rename(2) (XFS).
Thanks to Pascal Terjan of Mandriva and to Ermanno Scaglione for
reporting these two issues, respectively.

2009/03/06 Package: bind
Dropped the root-delegation-only directive from the default named
configuration because the list of TLDs that are not delegation-only was
incomplete and wouldn't be maintained/updated on all installs, causing
some DNS lookups of valid records to fail.
Reference:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217829

2009/02/06 Package: bind
Dropped DNSSEC support, which is not useful on the Internet at large
yet. Those who wish to experiment with DNSSEC at their own risk may
set BUILD_OPENSSL to 1 and rebuild the package.

2009/01/08 Packages: openssl, bind
SECURITY FIX Severity: medium, remote, passive
Backported upstream fixes for multiple OpenSSL signature verification
API misuses.
References:
http://www.openwall.com/lists/oss-security/2009/01/07/2
https://www.openssl.org/news/secadv_20090107.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077

2008/11/02 Package: tar
Updated to 1.20.

2008/08/14 Package: postfix
Updated to 2.4.8, disabled the Solaris symlink hack that allowed local
mail deliveries through "root-owned" symlinks. Although this is a
security update for some other systems, on Owl the problem was avoided
or mitigated in several ways:
- we have a patch, introduced prior to Owl 2.0, that adds the
local_minimum_uid setting with a default of 500 - preventing local mail
deliveries to user "root" (unless it is correctly setup as an alias to
some other e-mail address), as well as to other system special accounts;
- there's no potential attack vector to get group "mail" privileges on
Owl with no third-party software added - no single program is installed
SGID "mail";
- the mail spool directory is only writable by root and group "mail"
(not world-writable), yet it has the sticky bit set (mode 1771), which
prevents the attack for already-existing mailboxes;
- "useradd -m", which must be used to create a user account with a home
directory, also pre-creates the mailbox;
- our default kernel includes the CONFIG_HARDEN_LINK option, enabled by
default, which thwarts the hardlink-to-symlink attack.

2008/08/10 Package: bind
Updated to 9.3.5-P2, added an OpenBSD-derived patch to implement
support for more than 1024 simultaneous recursive queries.

2006/09/13 -
2008/07/10 Package: john
Many updates to John the Ripper have been made, bringing it to version
1.7.3. Most notably, two Blowfish-based crypt(3) hashes may now be
computed in parallel for much better performance on x86-64 CPUs. Also,
"DumbForce" and "KnownForce" external mode samples have been added to
the default john.conf.

2008/07/08 Package: bind
SECURITY FIX Severity: medium, remote, active
Updated to 9.3.5-P1, which additionally randomizes UDP query ports to
improve resilience to DNS cache poisoning attacks.
References:
https://www.kb.cert.org/vuls/id/800113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

2008/06/29 Package: vsftpd
Updated to 2.0.6.

2008/05/27 Package: openssh
Implemented support for RSA/DSA key blacklisting in sshd based on
partial fingerprints, added a subpackage with blacklisted 48-bit partial
fingerprints for 1024-bit and 2048-bit RSA and 1024-bit DSA keys as
generated on vulnerable Debian, Ubuntu, and derived systems for PID
range 1 to 32767. Due to the encoding scheme used, the blacklist file
size is just 1.3 MB, which corresponds to less than 4.5 bytes per
fingerprint. This effort was supported by CivicActions. References:
http://www.openwall.com/lists/oss-security/2008/05/27/3
http://www.debian.org/security/2008/dsa-1571
http://www.ubuntu.com/usn/usn-612-1/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166

2008/05/18 Package: nmap
Updated to 4.62.

2008/05/10 Package: cvs
Updated to 1.11.23.

2008/04/17 -
2008/04/22 Package: lilo
Updated to 22.8.

2008/03/26 Package: gnupg
Updated to 1.4.9.

2008/03/20 Package: findutils
Updated to 4.2.33.

2008/03/20 Package: bzip2
Updated to 1.0.5. This release fixes a potential buffer over-read bug,
which allowed user-assisted remote attackers to cause a crash in libbz2
via a crafted file.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372

2008/02/13 Package: pcre
Updated to 7.6.

2008/02/12 Packages: pam_passwdqc, pam
Applied numerous minor changes to pam_passwdqc and its default settings,
including replacing its set of separator characters (used for randomly
generated "passphrases") with some of those defined by RFC 3986 as being
safe within "userinfo" part of URLs without encoding, reducing the
default minimum length for passphrases from 12 to 11, and corrections to
the documentation.

2008/01/15 Package: tar
Added a new option: --ignore-device-id, to be used when creating
incremental dumps off filesystems with volatile device numbers, such as
OpenVZ simfs.

2008/01/04 Package: hdparm
Updated to 7.7.

2008/01/01 Package: gnupg
Updated to 1.4.8.

2008/01/01 Package: e2fsprogs
Updated to 1.40.4.

2007/12/16 Package: postfix
Updated to 2.4.6.

2007/12/06 Package: e2fsprogs
Applied upstream patch to fix integer overflows in libext2fs.
This addresses a potential vulnerability where an untrusted filesystem
can be corrupted on purpose in such a way that a program using libext2fs
will allocate a buffer that is far too small. This can lead to either a
crash or potentially a heap-based buffer overflow.
Thanks to Rafal Wojtczuk of McAfee Avert Labs for reporting this issue.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5497

2007/12/05 Package: gettext
Updated to 0.14.6.

2007/11/19 Package: findutils
Updated to 4.2.31.

2007/11/18 Package: ltrace
Updated to 0.5.

2007/11/18 Package: elfutils-libelf
Updated to 0.131.

2007/11/15 Package: e2fsprogs
Updated to 1.40.2.

2007/10/24 -
2007/11/05 Package: sysklogd
Implemented logging of the sending user ID (when non-zero) and of the
sending process ID (when different from the reported one) for syslog
messages arriving via Unix domain sockets. This should allow for
detection of spoofed messages.

2007/10/17 Package: diffstat
Updated to 1.45.

2007/10/16 Package: dhcp
Updated to 3.0.6.

2007/10/13 Package: openssl
Backported upstream fix for off-by-one bug in the SSL_get_shared_ciphers
function. It is unclear whether the bug had any security impact.
References:
http://lists.openwall.net/bugtraq/2007/09/27/14
http://lists.openwall.net/bugtraq/2007/10/01/7
https://www.openssl.org/news/secadv_20071012.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135

2007/10/08 Package: cvs
Updated to 1.11.22.

2007/10/07 Package: bzip2
Updated to 1.0.4.

2007/10/07 Package: nmap
Updated to 4.20.

2007/10/07 Packages: mdadm, raidtools;
Owl/build/installorder.conf
Replaced raidtools with mdadm.

2007/09/24 Package: pcre
Updated to 7.4.

2007/08/30 Package: vim
SECURITY FIX Severity: none to high, indirect, passive
Backported upstream fix to restrict dangerous functions in modelines.
Note that vim's modelines have always been disabled on Owl by default
(with a setting in /usr/share/vim/vimrc) and even this fix is no guarantee
modelines will be safe to use or the restricted mode safe to rely upon
in the future.
Backported upstream fix for format string vulnerability in the
helptags_one function, which allowed user-assisted remote attackers to
execute arbitrary code via format string specifiers in a help-tags tag
in a help file.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2438
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953

2007/08/18 kernel
Updated to Linux 2.4.35-ow2. The single known security-relevant change
added with Linux 2.4.35 is correction of the randomness pool update bug
discovered by the PaX Team. The -ow2 revision adds a fix for the parent
process death signal bug in the Linux kernel discovered by Wojciech
Purczynski of COSEINC PTE Ltd. and iSEC Security Research; this bug has
no security impact on Owl with no added SUID programs. Also added are
two security hardening features, both enabled by default: restricted
access to VM86 mode (specific to 32-bit x86) and restricted zero page
mappings (generic).
References:
http://www.openwall.com/lists/announce/2007/08/08/1
http://www.openwall.com/lists/announce/2007/08/14/1
https://isec.pl/en/vulnerabilities/isec-0024-death-signal.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3848

2007/08/18 Package: cpio
Updated to 2.9.

2007/08/17 Package: tar
Updated to 1.18.

2007/07/30 Package: bind
SECURITY FIX Severity: medium, remote, passive
Updated to 9.3.4-P1, which fixes a weakness in DNS query ids generator
when answering resolver questions or sending NOTIFY messages to slave
name servers. The weakness used to make it easier for remote attackers
to guess the next query id and perform DNS cache poisoning.
References:
http://www.trusteer.com/bind9dns
https://marc.info/?l=bind-announce&m=118531674631565
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926

2007/06/01 Package: owl-cdrom
In the default kernel for x86, enabled more IDE chipset drivers, common
RAID and SATA controller drivers, USB and HID support (keyboard, mouse,
storage devices), and more. This enables our CDs to boot off SATA and
USB CD-ROM drives, in addition to IDE and SCSI ones that were supported
previously.

2007/05/31 Package: mutt
Updated to 1.4.2.3. This release fixes msgid validation in APOP
authentication and potential buffer overflow in passwd GECOS field parser.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683

2007/03/25 -
2007/05/22 Package: file
SECURITY FIX Severity: high, indirect, passive
Fixed potential heap buffer overflow in the file_printf function of the
libmagic library.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536

2007/03/29 Package: lftp
Updated to 3.5.10.

2007/03/27 Package: elinks
Updated to 0.11.2.

2007/03/26 Package: lftp
Updated to 3.5.9.

2007/03/06 Package: gnupg
SECURITY FIX Severity: medium, indirect, passive
Updated to 1.4.7. This includes a fix for an unsigned data injection
vulnerability:
An attacker is able to add arbitrary content to a signed message, and
the receiver of the message may not be able to distinguish the forged
and the properly signed parts of the message.
References:
https://www.coresecurity.com/content/gnupg-and-gnupg-clients-unsigned-data-injection-vulnerability
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1263

2007/02/25 Package: openssl
Updated to 0.9.7m.

2007/01/29 Package: bind
SECURITY FIX Severity: low, remote, active
Updated to 9.3.4, which fixes two security issues.
The first issue is a "use after free" vulnerability which allowed remote
DoS attack via unspecified vectors that cause BIND to "dereference (read)
a freed fetch context".
The second issue allowed remote DoS attack via a type ANY DNS query
response that contains multiple RR sets in the answer section, which
triggers an assertion error if DNSSEC validation is enabled.
References:
https://marc.info/?l=bind-announce&m=116968519321296
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0493
https://marc.info/?l=bind-announce&m=116968519300764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494

2007/01/18 Package: strace
Updated to 4.5.15.

2007/01/13 Package: pcre
Updated to 7.0.

2007/01/03 -
2007/01/09 Package: owl-setup
Configuration of console font and locales has been implemented under a
new sub-menu. Keyboard layout configuration has been moved to the same
menu. The ncurses/CDK-based user interface now uses cfdisk rather than
the traditional fdisk by default.

2006/12/30 -
2007/01/09 Owl/build/*
New make targets have been added for creating ISO-9660 images of Owl
bootable CDs. The added targets are buildkernel, installisotree, iso,
and iso.gz.

2007/01/05 Package: mkisofs;
Owl/build/installorder.conf
New package: create ISO-9660 filesystem images.

2006/12/27 kernel
Updated to Linux 2.4.34-ow1.

2006/12/06 Package: gnupg
SECURITY FIX Severity: high, indirect, passive
Updated to 1.4.6. This includes a fix for a remotely controllable
function pointer vulnerability: using malformed OpenPGP packets an
attacker was able to modify and dereference a function pointer in gpg.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235

2006/11/28 Package: gnupg
SECURITY FIX Severity: high, indirect, passive
Applied upstream fix for heap buffer overflow bug in gpg when running
gpg interactively.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169
https://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html

2006/11/28 Package: tar
SECURITY FIX Severity: high, indirect, passive
Disabled GNUTYPE_NAMES handling by default to avoid directory traversal
in GNU tar (where a malicious archive containing GNUTYPE_NAMES record
with a symbolic link could specify files to be extracted to outside of
the intended directory tree).
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097
http://lists.openwall.net/full-disclosure/2006/11/21/20

2006/11/19 Package: rpm
Backported upstream fix for potential heap buffer overflow in
showQueryPackage function. Although this particular bug is fixed,
it remains unsafe to invoke "rpm" queries on untrusted package files.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=212833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5466

2006/11/09 Package: openssh
Backported upstream fix for a bug in the sshd privilege separation
monitor that weakened its verification of successful authentication.
References:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2006-November/024882.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5794

2006/11/07 Package: texinfo
SECURITY FIX Severity: high, indirect, passive
Applied upstream patch that fixes potential heap buffer overflow in
texindex utility.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4810

2006/10/29 Package: screen
SECURITY FIX Severity: low, remote, passive
Applied upstream patch that fixes two bugs in UTF-8 combining characters
handling. The bugs could be used to crash/hang screen by writing a
special string to a window.
References:
http://lists.gnu.org/archive/html/screen-users/2006-10/msg00028.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4573

2006/10/03 Package: openssh
SECURITY FIX Severity: low/none to high, remote/local, active
Backported upstream fixes for sshd connection consumption vulnerability
(severity: low, remote, active), scp local arbitrary command execution
vulnerability (severity: none to high, local, active), CRC compensation
attack detector DoS (severity: low, remote, active), client NULL
dereference on protocol error (severity: low, remote, passive).
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4925

2006/09/29 Package: openssl
SECURITY FIX Severity: none to low/high, remote, active/passive
Updated to 0.9.7l, which includes fixes for four security issues.
References:
https://www.openssl.org/news/secadv_20060928.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343

2006/09/27 Package: dhcp
Updated to 3.0.4.

2006/09/19 Package: gzip
SECURITY FIX Severity: high, indirect, passive
Fixed multiple vulnerabilities (stack buffer overflow, heap buffer
underflow, heap buffer overflow, infinite loop) discovered by Tavis
Ormandy of Google Security Team.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338

2006/09/19 Package: bison
Updated to 2.3.

2006/09/07 Package: gpm
Updated to 1.20.1.

2006/09/06 Package: openssl
SECURITY FIX Severity: none to medium, remote, passive to active
Applied upstream patch to avoid RSA signature forgery.
References:
https://www.openssl.org/news/secadv_20060905.txt
http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

2006/09/06 Package: bind
SECURITY FIX Severity: none to low, remote, active
Updated to 9.3.2-P1, which fixes a couple of bugs that allowed for DoS
attacks on certain BIND configurations.
References:
https://www.kb.cert.org/vuls/id/915404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095
https://www.kb.cert.org/vuls/id/697164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096

2006/08/17 kernel
Updated to Linux 2.4.33-ow1.

2006/08/04 Package: postfix
Updated to 2.2.11.

2006/08/04 Package: gnupg
SECURITY FIX Severity: high, remote, passive
Updated to 1.4.5. This includes fixes for two more possible memory
allocation bugs, similar to the problem fixed in 1.4.3-owl1.
References:
https://lists.gnupg.org/pipermail/gnupg-announce/2006q3/000229.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3746

2006/06/28 Package: gnupg
Updated to 1.4.4.

2006/06/27 Package: mutt
SECURITY FIX Severity: high, remote, passive
Applied an upstream fix for potential stack-based buffer overflow when
processing an overly long namespace from IMAP server.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242

2006/06/25 Package: nmap
Updated to 4.11.

2006/06/25 Package: coreutils
Updated to 5.97.

2006/06/22 Package: gnupg
SECURITY FIX Severity: high, remote, passive
Updated to 1.4.3. Applied a fix for integer overflow vulnerability in
packet processing that could allow a remote attacker to cause gpg to crash
and possibly overwrite memory via a message packet with a large length.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3082

2006/06/12 Package: hdparm
Updated to 6.6.

2006/06/12 Package: smartmontools;
Owl/build/installorder.conf
New package: control and monitor storage systems using S.M.A.R.T.

2006/06/06 Package: patchutils
Updated to 0.2.31.

2006/06/06 Package: automake
Updated to 1.9.6.

2006/06/06 Package: which
Updated to 2.16.

2006/06/06 Package: e2fsprogs
Updated to 1.39.

2006/06/06 Package: pam
Updated to 0.99.4.0+.

2006/06/06 Package: make
Updated to 3.81.

2006/06/06 Package: libtool
Updated to 1.5.22.

2006/06/06 Package: bison
Updated to 2.1.

2006/06/06 Package: bind
Updated to 9.3.2.

2006/06/06 Package: vsftpd
Updated to 2.0.4.

2006/06/06 Package: chkconfig
Updated to 1.3.29.

2006/06/06 Package: bash
Updated to 3.1 patchlevel 17.

2006/05/27 Package: coreutils
Updated to 5.96.

2006/05/21 Package: coreutils
Updated to 5.95.

2006/05/21 Packages: bc, gnupg, gdb, lftp, readline;
Owl/build/installorder.conf
Updated readline to 5.1 patchlevel 4.

2006/05/19 Package: acct
Updated to 6.4-pre1.

2006/05/08 -
2006/05/15 Package: john
Bitslice DES code for x86 with SSE2 and x86-64 with 64-bit mode extended
SSE2 has been added for better performance at DES-based crypt(3) hashes
on Pentium 4 and SSE2-capable AMD processors. Assorted high-level
changes have been applied to improve performance on current x86-64
processors.

2006/05/07 Package: perl
Updated to 5.8.8.

2006/05/01 Package: vixie-cron
Updated to OpenBSD CVS snapshot dated 2006/04/26. Changed crontab(1) to
use $TMPDIR for creating the temporary file.

2006/05/01 Package: lftp
Updated to 3.4.6.

2006/04/26 Package: nmap
Updated to 4.03.

2006/03/25 -
2006/04/20 Package: owl-setup
Many fixes and enhancements which had been postponed for after Owl 2.0
release have now been implemented. This includes directly talking to
PAM when setting the initial root password, quick searches in scroll
lists with the ncurses/CDK-based interface, progress indicators with
both user interfaces (currently, this is used for installation of kernel
headers), and manual pages for both "settle" and "setup".

2006/04/19 Package: lftp
Updated to 3.4.4.

2006/04/19 Package: setarch
Updated to 2.0.

2006/04/04 -
2006/04/07 Packages: *;
Owl/build/{.rpmmacros,.rpmrc,buildworld.conf,buildworld.sh}
Ported Owl to the x86-64 architecture.

2006/04/06 Packages: db4, pam, perl, postfix;
Owl/build/installworld.sh
Updated db4 to 4.3.29.

2006/04/06 Package: postfix
Updated to 2.2.10.

2006/04/06 Package: gettext
Updated to 0.14.5.

2006/04/04 Package: bash
Updated to 3.1 patchlevel 16.

2006/03/23 Package: netlist
Updated to 2.1.

2006/03/23 Package: setarch
Updated to 1.9.

2006/03/11 Package: postfix
Updated to 2.2.9.

2006/03/11 Package: gnupg
SECURITY FIX Severity: medium, indirect, passive
Updated to 1.4.2.2. This includes fixes for the signature verification
vulnerabilities discovered by Tavis Ormandy of Gentoo.
References:
https://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0455
https://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0049

2006/03/05 Package: nmap
Updated to 4.02 Alpha1.

2006/02/27 -
2006/03/05 Package: john
Applied many minor corrections, including for better handling of certain
uncommon scenarios and improper uses of John. Added a "keyboard
cracker" to the default john.conf that will try sequences of adjacent
keys on a keyboard as passwords.

2006/02/28 Package: iptables
Updated to 1.3.5.

2006/02/20 Package: sed
Updated to 4.1.5.

2006/02/20 Package: coreutils
Updated to 5.94.

2006/02/20 Package: bash
Updated to 3.1 patchlevel 8.

2006/02/20 Package: tar
SECURITY FIX Severity: high, indirect, passive
Backported upstream fix for potential heap buffer overrun in handling
extended headers.
References:
http://lists.gnu.org/archive/html/bug-tar/2005-06/msg00029.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0300

$Owl: Owl/doc/CHANGES-3.0,v 1.314 2018/05/23 19:32:15 solar Exp $